Description
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
CVSS breakdown
Affected products
- pravel / SignUp & SignIn0 – 1.0.0
References
- MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/c0a617fc-da3d-4828-b027-44093dd11769?source=cve
- MISChttps://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L229
- MISChttps://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L222
- MISChttps://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L38