CVE-2024-9104 MEDIUM

CVE-2024-9104: UltimateAI <= 2.8.3 - Limited User Password Change due to Improper Empty and Missing Default Value Check

Vendor Tophive
Product Ultimate AI
Weakness CWE-703
Published October 16, 2024
Last update April 8, 2026

CVSS base score

5.6/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers.

Key dates

02Disclosure timeline

October 16, 2024 CVE published
April 8, 2026 Record updated