CWE-620
Unverified Password Change
Description
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (46)
page 2 of 3| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-61536 | — | Hig | 0.53 | 8.2 | 0.00 | Oct 16, 2025 | FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header… | |
| CVE-2025-22381 | — | Hig | 0.53 | 8.2 | 0.01 | Oct 16, 2025 | Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password. | |
| CVE-2024-13373 | Hig | 0.53 | 8.1 | 0.00 | Mar 1, 2025 | The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through the… | ||
| CVE-2025-3607 | Hig | 0.50 | 8.8 | 0.00 | Apr 24, 2025 | The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it… | ||
| CVE-2025-67719 | Hig | 0.48 | — | 0.00 | Dec 11, 2025 | Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to… | ||
| CVE-2026-42084 | Hig | 0.46 | 8.1 | 0.00 | May 4, 2026 | OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by… | ||
| CVE-2026-40588 | Hig | 0.46 | 8.1 | 0.00 | Apr 21, 2026 | blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid… | ||
| CVE-2025-61132 | Hig | 0.46 | 7.1 | 0.00 | Oct 23, 2025 | A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links… | ||
| CVE-2023-4214 | Hig | 0.46 | 8.1 | 0.01 | Nov 18, 2023 | The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. | ||
| CVE-2025-46389 | — | Med | 0.42 | 6.5 | 0.00 | Aug 6, 2025 | CWE-620: Unverified Password Change | |
| CVE-2018-8916 | Med | 0.41 | 6.3 | 0.01 | Jun 8, 2018 | Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification. | ||
| CVE-2019-25653 | Med | 0.40 | 6.2 | 0.00 | Mar 30, 2026 | Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during… | ||
| CVE-2023-4915 | Med | 0.34 | 5.3 | 0.00 | Sep 13, 2023 | The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (in the WP User Control… | ||
| CVE-2025-3793 | Med | 0.27 | 4.2 | 0.00 | Apr 24, 2025 | The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and… | ||
| CVE-2026-8327 | Med | 0.21 | 4.3 | 0.00 | May 21, 2026 | Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without… | ||
| CVE-2026-9249 | Low | 0.20 | 3.1 | 0.00 | May 22, 2026 | Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server… | ||
| CVE-2026-2543 | Low | 0.18 | 2.7 | 0.00 | Feb 16, 2026 | A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be… | ||
| CVE-2025-46748 | — | Low | 0.18 | 2.7 | 0.00 | May 12, 2025 | An authenticated user attempting to change their password could do so without using the current password. | |
| CVE-2024-47784 | Low | 0.17 | 2.6 | 0.00 | Apr 30, 2025 | Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier. | ||
| CVE-2025-47938 | 0.00 | — | 0.00 | May 20, 2025 | TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current… |
- risk 0.53cvss 8.2epss 0.00
FelixRiddle dev-jobs-handlebars 1.0 uses absolute password-reset (magic) links using the untrusted `req.headers.host` header and forces the `http://` scheme. An attacker who can control the `Host` header (or exploit a misconfigured proxy/load-balancer that forwards the header…
- risk 0.53cvss 8.2epss 0.01
Aggie 2.6.1 has a Host Header injection vulnerability in the forgot password functionality, allowing an attacker to reset a user's password.
- risk 0.53cvss 8.1epss 0.00
The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through the…
- risk 0.50cvss 8.8epss 0.00
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it…
- risk 0.48cvss —epss 0.00
Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to…
- risk 0.46cvss 8.1epss 0.00
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionality allows a user to change their password without providing the old password, by…
- risk 0.46cvss 8.1epss 0.00
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/{slug}/edit/ does not include a current_password field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid…
- risk 0.46cvss 7.1epss 0.00
A Host Header Injection vulnerability in the password reset component in levlaz braindump v0.4.14 allows remote attackers to conduct password reset poisoning and account takeover via manipulation of the Host header when Flask's url_for(_external=True) generates reset links…
- risk 0.46cvss 8.1epss 0.01
The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.
- risk 0.42cvss 6.5epss 0.00
CWE-620: Unverified Password Change
- risk 0.41cvss 6.3epss 0.01
Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.
- risk 0.40cvss 6.2epss 0.00
Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during…
- risk 0.34cvss 5.3epss 0.00
The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (in the WP User Control…
- risk 0.27cvss 4.2epss 0.00
The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and…
- risk 0.21cvss 4.3epss 0.00
Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without…
- risk 0.20cvss 3.1epss 0.00
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server…
- risk 0.18cvss 2.7epss 0.00
A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be…
- risk 0.18cvss 2.7epss 0.00
An authenticated user attempting to change their password could do so without using the current password.
- risk 0.17cvss 2.6epss 0.00
Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier.
- CVE-2025-47938May 20, 2025risk 0.00cvss —epss 0.00
TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, the backend user management interface allows password changes without requiring the current…