What the vulnerability does
01Description
Cross-Site Request Forgery (CSRF) vulnerability in andy_moyle Emergency Password Reset emergency-password-reset allows Cross Site Request Forgery.This issue affects Emergency Password Reset: from n/a through <= 9.3.
Explanation of Vulnerability in Simple Terms
02Summary
Emergency Password Reset versions 9.3 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unauthorized password reset actions without the admin's knowledge or consent. The vulnerability requires the victim to visit the attacker's page but does not expose sensitive data directly.
What an attacker can do
03Attacker Capabilities
Trick a site admin into visiting a malicious page that resets passwords without their consent.
Potential impact on your site
04Site Impact
An attacker can reset user passwords on your site if an admin visits a malicious link while logged in.
Conditions required to exploit
05Prerequisites
The site admin must be logged in and visit an attacker-controlled webpage.
Key dates
06Disclosure timeline
September 22, 2025
CVE published
May 12, 2026
Record updated