CWE-620
Unverified Password Change
BaseDraft
Description
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (34)
page 1 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-12824 | Cri | 0.68 | 9.8 | 0.48 | Mar 1, 2025 | The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account. | |
| CVE-2025-4322 | Cri | 0.67 | 9.8 | 0.44 | May 20, 2025 | The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account. | |
| CVE-2024-13375 | Cri | 0.65 | 9.8 | 0.11 | Jan 18, 2025 | The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This is due to the plugin not properly validating a user's identity prior to updating their details like password through the adifier_recover() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |
| CVE-2025-9286 | Cri | 0.64 | 9.8 | 0.00 | Oct 3, 2025 | The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access. | |
| CVE-2025-10159 | Cri | 0.64 | 9.8 | 0.00 | Sep 9, 2025 | An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7). | |
| CVE-2025-4606 | Cri | 0.64 | 9.8 | 0.00 | Jul 9, 2025 | The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |
| CVE-2024-12827 | Cri | 0.64 | 9.8 | 0.01 | Jun 27, 2025 | The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |
| CVE-2025-4558 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2025 | The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system. | |
| CVE-2025-2253 | Cri | 0.64 | 9.8 | 0.01 | May 9, 2025 | The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init() function. This makes it possible for unauthenticated attackers to change any user's passwords, including administrators if the users email is known. | |
| CVE-2025-3603 | Cri | 0.64 | 9.8 | 0.01 | Apr 24, 2025 | The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |
| CVE-2025-1107 | Cri | 0.64 | 9.9 | 0.00 | Feb 7, 2025 | Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoint ‘/public/cgi/Gateway.php’. | |
| CVE-2024-26520 | Cri | 0.64 | 9.8 | 0.00 | Jul 26, 2024 | An issue in Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 allows an attacker to bypass authentication and perform arbitrary password resets. | |
| CVE-2024-37998 | Cri | 0.64 | 9.8 | 0.00 | Jul 22, 2024 | A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V5.40), SICORE Base system (All versions < V1.4.0). The password of administrative accounts of the affected applications can be reset without requiring the knowledge of the current password, given the auto login is enabled. This could allow an unauthorized attacker to obtain administrative access of the affected applications. | |
| CVE-2023-2449 | Cri | 0.64 | 9.8 | 0.01 | Nov 22, 2023 | The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (userpro_process_form). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-2448 and CVE-2023-2446, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability. | |
| CVE-2023-2297 | Cri | 0.64 | 9.8 | 0.01 | Apr 27, 2023 | The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability. | |
| CVE-2025-14751 | Hig | 0.57 | — | 0.00 | Jan 22, 2026 | A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation. | |
| CVE-2025-3607 | Hig | 0.57 | 8.8 | 0.00 | Apr 24, 2025 | The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |
| CVE-2024-28143 | Hig | 0.55 | 8.4 | 0.00 | Dec 12, 2024 | The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue. | |
| CVE-2025-62425 | Hig | 0.54 | 8.3 | 0.00 | Oct 16, 2025 | MAS (Matrix Authentication Service) is a user management and authentication service for Matrix homeservers, written and maintained by Element. A logic flaw in matrix-authentication-service 0.20.0 through 1.4.0 allows an attacker with access to an authenticated MAS session to perform sensitive operations without entering the current password. These include changing the current password, adding or removing an e-mail address and deactivating the account. The vulnerability only affects instances which have the local password database feature enabled (passwords section in the config). Patched in matrix-authentication-service 1.4.1. | |
| CVE-2026-40588 | Hig | 0.53 | 8.1 | 0.00 | Apr 21, 2026 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0. |