CWE-620
AllowedUnverified Password Change
Abstraction: Base · Status: Draft
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
157 vulnerabilities reference this CWE, most recent first.
GHSA-4JJC-6XJ9-R5Q6
Vulnerability from github – Published: 2023-11-18 03:30 – Updated: 2023-11-18 03:30The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.
{
"affected": [],
"aliases": [
"CVE-2023-4214"
],
"database_specific": {
"cwe_ids": [
"CWE-620",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-18T02:15:49Z",
"severity": "HIGH"
},
"details": "The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.",
"id": "GHSA-4jjc-6xj9-r5q6",
"modified": "2023-11-18T03:30:20Z",
"published": "2023-11-18T03:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4214"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_API_Limit.php?rev=2997182"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_WPAPI_Mods.php#L567"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2997160/apppresser"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4XFF-R326-4QV2
Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-23 15:32Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.
{
"affected": [],
"aliases": [
"CVE-2025-71337"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-23T13:16:38Z",
"severity": "HIGH"
},
"details": "Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.",
"id": "GHSA-4xff-r326-4qv2",
"modified": "2026-06-23T15:32:36Z",
"published": "2026-06-23T15:32:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71337"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpoint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-4XW8-RVQF-QCHF
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.
{
"affected": [],
"aliases": [
"CVE-2018-8916"
],
"database_specific": {
"cwe_ids": [
"CWE-620",
"CWE-640"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-08T13:29:00Z",
"severity": "HIGH"
},
"details": "Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.",
"id": "GHSA-4xw8-rvqf-qchf",
"modified": "2022-05-13T01:31:42Z",
"published": "2022-05-13T01:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8916"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/support/security/Synology_SA_18_24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5626-PW9C-HMJR
Vulnerability from github – Published: 2024-01-31 18:04 – Updated: 2024-02-08 16:30Impact
OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.
An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance.
Patches
The vulnerability will be patched in version 1.10.0.
Workarounds
OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.
Credits
This vulnerability was discovered and responsibly disclosed to OctoPrint by Timothy "TK" Ruppert.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.9.3"
},
"package": {
"ecosystem": "PyPI",
"name": "OctoPrint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.0rc1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23637"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-620"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-31T18:04:48Z",
"nvd_published_at": "2024-01-31T18:15:49Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.\n\nAn attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance.\n\n### Patches\n\nThe vulnerability will be patched in version 1.10.0.\n\n### Workarounds\n\nOctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Timothy \"TK\" Ruppert.\n",
"id": "GHSA-5626-pw9c-hmjr",
"modified": "2024-02-08T16:30:05Z",
"published": "2024-01-31T18:04:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23637"
},
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125"
},
{
"type": "PACKAGE",
"url": "https://github.com/OctoPrint/OctoPrint"
},
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-29.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OctoPrint Unverified Password Change via Access Control Settings"
}
GHSA-5697-P67M-73P6
Vulnerability from github – Published: 2024-07-17 18:31 – Updated: 2024-08-13 18:31A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.
This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
{
"affected": [],
"aliases": [
"CVE-2024-20419"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-17T17:15:14Z",
"severity": "CRITICAL"
},
"details": "A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.\n\n This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.",
"id": "GHSA-5697-p67m-73p6",
"modified": "2024-08-13T18:31:13Z",
"published": "2024-07-17T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20419"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy"
},
{
"type": "WEB",
"url": "https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5HV2-265F-8MM9
Vulnerability from github – Published: 2025-10-03 12:33 – Updated: 2026-04-08 18:33The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
{
"affected": [],
"aliases": [
"CVE-2025-9286"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-03T12:15:47Z",
"severity": "CRITICAL"
},
"details": "The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.",
"id": "GHSA-5hv2-265f-8mm9",
"modified": "2026-04-08T18:33:56Z",
"published": "2025-10-03T12:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9286"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/appy-pie-connect-for-woocommerce/trunk/connect-woocommerce-rest-api.php"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3385150"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/appy-pie-connect-for-woocommerce"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MXG-XJXM-9C6M
Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 12:31{
"affected": [],
"aliases": [
"CVE-2025-46389"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T11:15:28Z",
"severity": "MODERATE"
},
"details": "CWE-620: Unverified Password Change",
"id": "GHSA-5mxg-xjxm-9c6m",
"modified": "2025-08-06T12:31:20Z",
"published": "2025-08-06T12:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46389"
},
{
"type": "WEB",
"url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5R3C-CQ8H-C6GX
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2026-04-08 21:31The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-2297"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-27T00:15:08Z",
"severity": "HIGH"
},
"details": "The Profile Builder \u2013 User Profile \u0026 User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.",
"id": "GHSA-5r3c-cq8h-c6gx",
"modified": "2026-04-08T21:31:49Z",
"published": "2023-07-06T19:24:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2297"
},
{
"type": "WEB",
"url": "https://lana.codes/lanavdb/512e7307-04a5-4d8b-8f79-f75f37784a9f"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2864329%40profile-builder\u0026new=2864329%40profile-builder\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2023/03/vulnerability-patched-in-cozmolabs-profile-builder-plugin-information-disclosure-leads-to-account-takeover"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e731292a-4f95-46eb-889e-b00d58f3444e?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5XRP-299Q-MXXJ
Vulnerability from github – Published: 2025-05-20 06:32 – Updated: 2025-05-20 06:32The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2025-4322"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-20T06:15:38Z",
"severity": "CRITICAL"
},
"details": "The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.",
"id": "GHSA-5xrp-299q-mxxj",
"modified": "2025-05-20T06:32:18Z",
"published": "2025-05-20T06:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4322"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61820ca5-5548-4155-b350-df3db1bc1661?source=cve"
},
{
"type": "WEB",
"url": "http://themeforest.net/item/motors-car-dealership-wordpress-theme/13987211"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68RV-4J98-W7CQ
Vulnerability from github – Published: 2025-03-01 09:30 – Updated: 2025-03-01 09:30The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
{
"affected": [],
"aliases": [
"CVE-2024-13373"
],
"database_specific": {
"cwe_ids": [
"CWE-620"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-01T07:15:10Z",
"severity": "HIGH"
},
"details": "The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password through the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
"id": "GHSA-68rv-4j98-w7cq",
"modified": "2025-03-01T09:30:28Z",
"published": "2025-03-01T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13373"
},
{
"type": "WEB",
"url": "https://themeforest.net/item/exertio-freelance-marketplace-wordpress-theme/30602587"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/897ce9a9-8b3e-40bc-9815-c55cc7a838f9?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When prompting for a password change, force the user to provide the original password in addition to the new password.
Mitigation
Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.
No CAPEC attack patterns related to this CWE.