CVE-2021-24655

CVE-2021-24655: WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise

Vendor Unknown
Product WP User Manager – User Profile Builder & Membership
Weakness CWE-639 · IDOR
Published July 17, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

Key dates

02Disclosure timeline

July 17, 2022 CVE published
August 3, 2024 Record updated