CVE-2024-8794

MEDIUM Year: 2024
CVSS v3 Score
5.3
Medium
Weakness Type
CWE-620
View all →

Vulnerability Description

The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.

Related Vulnerabilities

CVE-2022-2930

MEDIUM
CVSS:5.3(Medium)

Unverified Password Change in GitHub repository octoprint/octoprint prior to 1.8.3.

CWE-6202022

CVE-2025-4552

MEDIUM
CVSS:5.4(Medium)

A vulnerability has been found in ContiNew Admin up to 3.6.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /dev-api/system/user/1/password. The ...

CWE-6202025

CVE-2021-34786

MEDIUM
CVSS:4.9(Medium)

Multiple vulnerabilities in Cisco BroadWorks CommPilot Application Software could allow an authenticated, remote attacker to delete arbitrary user accounts or gain elevated privileges on an affected s...

CWE-6202021

CVE-2023-4381

MEDIUM
CVSS:4.3(Medium)

Unverified Password Change in GitHub repository instantsoft/icms2 prior to 2.16.1-git.

CWE-6202023

CVE-2023-5844

MEDIUM
CVSS:4.3(Medium)

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.

CWE-6202023

CVE-2025-3849

MEDIUM
CVSS:4.3(Medium)

A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This vulnerability affects unknown code of the file /api/studentPWD. The manipulation of the argument stud...

CWE-6202025