CVE-2021-24655 — HIGH (7.5)

Q: How severe is CVE-2021-24655?

CVE-2021-24655 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-24655?

Check the references section above for vendor advisories and patch information. Affected products include: Wpusermanager Wp User Manager.

Vulnerability Description

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Wpusermanager	Wp User Manager	< 2.6.3

Related Weaknesses (CWE)

CWE-639

References

https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541fExploitThird Party Advisory
https://wpscan.com/vulnerability/cce03550-7f65-4172-819e-025755fb541fExploitThird Party Advisory

FAQ

What is CVE-2021-24655?

CVE-2021-24655 is a vulnerability with a CVSS score of 7.5 (HIGH). The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the passwor...

How severe is CVE-2021-24655?

CVE-2021-24655 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24655?

Check the references section above for vendor advisories and patch information. Affected products include: Wpusermanager Wp User Manager.