Ace User Management WordPress Plugin Password Reset Vulnerability Allowing Authentication Bypass
Vulnerability
A vulnerability exists in the Ace User Management WordPress plugin, affecting versions through 2.0.3. The issue arises because the plugin fails to properly validate that a password reset token is linked to the user who requested it. This flaw enables any authenticated user, such as a subscriber, to reset the passwords of arbitrary accounts, including those of administrators.
Impact
Exploitation of this vulnerability allows for unauthorized password resets, enabling attackers to gain access to other users' accounts, including administrators.
Reproduction
To reproduce this vulnerability, an authenticated user must send a password reset request for their own account, which will generate a reset link containing a valid token. This token can then be used to reset the password of any user by sending a crafted request that includes the token, the new password, and the user ID of the account to be targeted.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.