What the vulnerability does
01Description
The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Explanation of Vulnerability in Simple Terms
02Summary
The DWT - Directory & Listing WordPress Theme contains a vulnerability that allows unauthenticated attackers to read, modify, or delete data on affected sites without any user interaction. The flaw affects all versions up to 3.3.6. No authentication or special configuration is required to exploit this issue. Site administrators should update immediately to a version newer than 3.3.6.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete site data without logging in.
Potential impact on your site
04Site Impact
Attackers can compromise your site's data, content, and functionality without any credentials.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
June 27, 2025
CVE published
April 8, 2026
Record updated