CVE-2026-12417
published 2026-06-24CVE-2026-12417: The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.45%
36.2th percentile
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pravel | signup_signin | <= 1.0.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
pravel SignUp & SignIn Plugin up to 1.0.0 on WordPress AJAX admin-ajax.php pravel_change_password reset_activation_code password recovery
vuldb·2026-06-26·CVSS 9.8
CVE-2026-12417 [CRITICAL] pravel SignUp & SignIn Plugin up to 1.0.0 on WordPress AJAX admin-ajax.php pravel_change_password reset_activation_code password recovery
A vulnerability, which was classified as critical, has been found in pravel SignUp & SignIn Plugin up to 1.0.0 on WordPress. This impacts the function pravel_change_password of the file admin-ajax.php of the component AJAX Handler. This manipulation of the argument reset_activation_code causes weak password recovery.
The identification of this vulnerability is CVE-2026-12417. It is possible to initiate the attack remotely. There is no exploit available.
GHSA
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0.
ghsa_unreviewed·2026-06-24
CVE-2026-12417 [CRITICAL] CWE-640 The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0.
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to cha
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L222https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L229https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L38https://www.wordfence.com/threat-intel/vulnerabilities/id/c0a617fc-da3d-4828-b027-44093dd11769?source=cve
2026-06-24
Published