SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover

An unauthenticated attacker sends a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target user's ID, and `new_password_custom` set to an attacker-chosen password. Because `pravel_change_password()` lacks nonce and capability checks, and because `get_user_meta()` returns an empty string when the target user has never initiated a password reset, the loose equality check against an omitted or empty `reset_activation_code` trivially passes. This allows the attacker to change any WordPress user's password, including administrators, and then log in with the new password to achieve full account takeover.

The vulnerability resides in the `pravel_change_password()` function in `lib/function.php` (lines 222–236). This AJAX handler is registered via `wp_ajax_nopriv_pravel_change_password` and is therefore accessible to unauthenticated users. It performs no nonce verification, no capability check, and uses a loose equality comparison (`==`) between the attacker-supplied `reset_activation_code` POST parameter and the `forgot_email` user meta value retrieved via `get_user_meta()` [ref_id=1][ref_id=2][ref_id=3].

The advisory does not provide a patch. To remediate, the `pravel_change_password()` function must validate a nonce, verify the user's identity (e.g., by checking the `reset_activation_code` against a stored value using strict comparison `===`), and ensure the code is non-empty before allowing a password change. Additionally, the handler should enforce that the user has actually requested a password reset by confirming the `forgot_email` meta key exists and is not an empty string.