CVE-2024-1290

CWE-269 — Improper Privilege Management CWE-20 — Improper Input Validation4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.4%

top 37.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown User Registration Strategy11 User Registration Forms

Timeline

PublishedMar 11

Latest updateSep 4

Description

The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5unknown/user_registration< 2.12

▶NVDstrategy11/user_registration_forms< 2.12

🔴Vulnerability Details

CVEList

Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover↗2024-03-11

▶

GHSA

GHSA-hgjm-23r8-g35c: The User Registration WordPress plugin before 2↗2024-03-11

▶

📋Vendor Advisories

Red Hat

kernel: mm, slub: do not call do_slab_free for kfence object↗2024-09-04

▶