cbcvebase.
CVE-2021-24655
published 2022-07-17

CVE-2021-24655: The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any…

PriorityP345high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EPSS
0.83%
52.9th percentile
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpusermanagerwp_user_manager< 2.6.32.6.3

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.