CWE-620
Unverified Password Change
BaseDraft
Description
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (35)
page 2 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40588 | Hig | 0.53 | 8.1 | 0.00 | Apr 21, 2026 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session — through XSS exploitation, session sidejacking over HTTP, physical access to a logged-in browser, or a stolen "remember me" cookie — can immediately change the account password without knowing the original credential, resulting in permanent account takeover. This vulnerability is fixed in 4.2.0. | |
| CVE-2025-61536 | Hig | 0.53 | 8.2 | 0.00 | Oct 16, 2025 | FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header unchanged) can cause reset links to point to attacker-controlled domains or be delivered via insecure HTTP, enabling token theft, phishing, and account takeover. | |
| CVE-2025-22381 | Hig | 0.53 | 8.2 | 0.00 | Oct 16, 2025 | Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password. | |
| CVE-2024-13373 | Hig | 0.53 | 8.1 | 0.00 | Mar 1, 2025 | The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | |
| CVE-2023-4214 | Hig | 0.53 | 8.1 | 0.00 | Nov 18, 2023 | The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. | |
| CVE-2025-67719 | Hig | 0.48 | — | 0.00 | Dec 11, 2025 | Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This makes it possible for a logged in user to change their password in the back office without knowing the previous password. For example, if a user logs into their account and walks away without locking their workstation, an attacker could access the unattended session and change the password, therefore locking the legitimate user out. This issue is fixed in version 5.0.4. | |
| CVE-2026-42084 | Hig | 0.46 | 8.1 | 0.00 | May 4, 2026 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to gain persistence in hijacked account (including admin) and prevent legitimate users from accessing the account. This issue has been patched in versions 6.10.5 and 7.0.0-rc3. | |
| CVE-2025-61132 | Hig | 0.46 | 7.1 | 0.00 | Oct 23, 2025 | A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links without a fixed SERVER_NAME. | |
| CVE-2025-46389 | Med | 0.42 | 6.5 | 0.00 | Aug 6, 2025 | CWE-620: Unverified Password Change | |
| CVE-2019-25653 | Med | 0.40 | 6.2 | 0.00 | Mar 30, 2026 | Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Oracle connection configuration to trigger an application crash. | |
| CVE-2023-4915 | Med | 0.34 | 5.3 | 0.00 | Sep 13, 2023 | The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (in the WP User Control Widget). The function changes the user's password after providing the email. The new password is only sent to the user's email, so the attacker does not have access to the new password. | |
| CVE-2025-3793 | Med | 0.27 | 4.2 | 0.00 | Apr 24, 2025 | The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with subscriber-level access and above and under certain prerequisites, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their accounts. | |
| CVE-2026-2543 | Low | 0.18 | 2.7 | 0.00 | Feb 16, 2026 | A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-46748 | Low | 0.18 | 2.7 | 0.00 | May 12, 2025 | An authenticated user attempting to change their password could do so without using the current password. | |
| CVE-2024-47784 | Low | 0.17 | 2.6 | 0.00 | Apr 30, 2025 | Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier. |