Search criteria
2 vulnerabilities found for WP User Manager – User Profile Builder & Membership by Unknown
CVE-2021-24655 (GCVE-0-2021-24655)
Vulnerability from cvelistv5 – Published: 2022-07-17 10:35 – Updated: 2024-08-03 19:35
VLAI?
Title
WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise
Summary
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WP User Manager – User Profile Builder & Membership |
Affected:
2.6.3 , < 2.6.3
(custom)
|
Credits
AyeCode Ltd
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP User Manager \u2013 User Profile Builder \u0026 Membership",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.6.3",
"status": "affected",
"version": "2.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "AyeCode Ltd"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-17T10:35:28",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP User Manager \u003c 2.6.3 - Arbitrary User Password Reset to Account Compromise",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24655",
"STATE": "PUBLIC",
"TITLE": "WP User Manager \u003c 2.6.3 - Arbitrary User Password Reset to Account Compromise"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP User Manager \u2013 User Profile Builder \u0026 Membership",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.6.3",
"version_value": "2.6.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "AyeCode Ltd"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24655",
"datePublished": "2022-07-17T10:35:28",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24655 (GCVE-0-2021-24655)
Vulnerability from nvd – Published: 2022-07-17 10:35 – Updated: 2024-08-03 19:35
VLAI?
Title
WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise
Summary
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WP User Manager – User Profile Builder & Membership |
Affected:
2.6.3 , < 2.6.3
(custom)
|
Credits
AyeCode Ltd
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:35:20.306Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP User Manager \u2013 User Profile Builder \u0026 Membership",
"vendor": "Unknown",
"versions": [
{
"lessThan": "2.6.3",
"status": "affected",
"version": "2.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "AyeCode Ltd"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-17T10:35:28",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP User Manager \u003c 2.6.3 - Arbitrary User Password Reset to Account Compromise",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24655",
"STATE": "PUBLIC",
"TITLE": "WP User Manager \u003c 2.6.3 - Arbitrary User Password Reset to Account Compromise"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP User Manager \u2013 User Profile Builder \u0026 Membership",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "2.6.3",
"version_value": "2.6.3"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "AyeCode Ltd"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-639 Authorization Bypass Through User-Controlled Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541f"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24655",
"datePublished": "2022-07-17T10:35:28",
"dateReserved": "2021-01-14T00:00:00",
"dateUpdated": "2024-08-03T19:35:20.306Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}