CVE-2021-24655

Summary

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Affected Software

VendorProductVersion RangeStatus
UnknownWP User Manager – User Profile Builder & Membership2.6.3 < 2.6.3affected

Weaknesses

  • CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key

ADP Enrichment

CVE Program Container

Additional References

References