Description
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
Severity (CVSS)
| Base score | 9.8 |
|---|---|
| Severity | Critical |
| Version | CVSS 3.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Provided by | CNA |
Weaknesses
- CWE-640 — CWE-640 Weak Password Recovery Mechanism for Forgotten Password
Affected products
| Vendor | Product | Versions |
|---|---|---|
| pravel | SignUp & SignIn | 0 to <=1.0.0 |
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c0a617fc-da3d-4828-b027-44093dd11769?source=cve
- https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L229
- https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L222
- https://plugins.trac.wordpress.org/browser/signup-signin/tags/1.0.0/lib/function.php#L38
Generated from the official CVE List on 24 Jun 2026 09:35 UTC.