Vulnerabilities > CVE-2021-24655 - Authorization Bypass Through User-Controlled Key vulnerability in Wpusermanager WP User Manager

CVSS 6.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

wpusermanager

CWE-639

NVD

Published: 2022-07-17

Updated: 2022-07-18

Summary

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Vulnerable Configurations

Part	Description	Count
Application	Wpusermanager Wpusermanager WP User Manager *	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f