Common Weakness Enumeration

CWE-620

Allowed

Unverified Password Change

Abstraction: Base · Status: Draft

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

157 vulnerabilities reference this CWE, most recent first.

GHSA-4JJC-6XJ9-R5Q6

Vulnerability from github – Published: 2023-11-18 03:30 – Updated: 2023-11-18 03:30
VLAI
Details

The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-4214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-18T02:15:49Z",
    "severity": "HIGH"
  },
  "details": "The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.",
  "id": "GHSA-4jjc-6xj9-r5q6",
  "modified": "2023-11-18T03:30:20Z",
  "published": "2023-11-18T03:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4214"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_API_Limit.php?rev=2997182"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/apppresser/trunk/inc/AppPresser_WPAPI_Mods.php#L567"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/2997160/apppresser"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c44c36a-c4c7-49c2-b750-1589e7840dde?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4XFF-R326-4QV2

Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-23 15:32
VLAI
Details

Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71337"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-23T13:16:38Z",
    "severity": "HIGH"
  },
  "details": "Flowise before 3.0.10 (affected versions 3.0.7 and earlier) contains an unverified email change vulnerability. An authenticated user can change the account email address, used as a login identifier and password-recovery channel, via the account profile endpoint without confirming the change to the original email address or re-entering the current password. By changing the recovery email, an attacker can take over the account and abuse password reset mechanisms.",
  "id": "GHSA-4xff-r326-4qv2",
  "modified": "2026-06-23T15:32:36Z",
  "published": "2026-06-23T15:32:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-x39m-3393-3qp4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71337"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/flowise-unverified-email-change-via-account-profile-endpoint"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4XW8-RVQF-QCHF

Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31
VLAI
Details

Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-8916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620",
      "CWE-640"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-08T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.",
  "id": "GHSA-4xw8-rvqf-qchf",
  "modified": "2022-05-13T01:31:42Z",
  "published": "2022-05-13T01:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8916"
    },
    {
      "type": "WEB",
      "url": "https://www.synology.com/en-global/support/security/Synology_SA_18_24"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5626-PW9C-HMJR

Vulnerability from github – Published: 2024-01-31 18:04 – Updated: 2024-02-08 16:30
VLAI
Summary
OctoPrint Unverified Password Change via Access Control Settings
Details

Impact

OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.

An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance.

Patches

The vulnerability will be patched in version 1.10.0.

Workarounds

OctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.

Credits

This vulnerability was discovered and responsibly disclosed to OctoPrint by Timothy "TK" Ruppert.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.3"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "OctoPrint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.10.0rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-23637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-620"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T18:04:48Z",
    "nvd_published_at": "2024-01-31T18:15:49Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nOctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.\n\nAn attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance.\n\n### Patches\n\nThe vulnerability will be patched in version 1.10.0.\n\n### Workarounds\n\nOctoPrint administrators are strongly advised to thoroughly vet who has admin access to their installation.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by Timothy \"TK\" Ruppert.\n",
  "id": "GHSA-5626-pw9c-hmjr",
  "modified": "2024-02-08T16:30:05Z",
  "published": "2024-01-31T18:04:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23637"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OctoPrint/OctoPrint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2024-29.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OctoPrint Unverified Password Change via Access Control Settings"
}

GHSA-5697-P67M-73P6

Vulnerability from github – Published: 2024-07-17 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.

This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-17T17:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.\n\n This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.",
  "id": "GHSA-5697-p67m-73p6",
  "modified": "2024-08-13T18:31:13Z",
  "published": "2024-07-17T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20419"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy"
    },
    {
      "type": "WEB",
      "url": "https://www.secpod.com/blog/critical-flaw-in-ciscos-secure-email-gateways-allows-attackers-to-control-the-device-completely"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5HV2-265F-8MM9

Vulnerability from github – Published: 2025-10-03 12:33 – Updated: 2026-04-08 18:33
VLAI
Details

The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-03T12:15:47Z",
    "severity": "CRITICAL"
  },
  "details": "The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.",
  "id": "GHSA-5hv2-265f-8mm9",
  "modified": "2026-04-08T18:33:56Z",
  "published": "2025-10-03T12:33:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9286"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/appy-pie-connect-for-woocommerce/trunk/connect-woocommerce-rest-api.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3385150"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/appy-pie-connect-for-woocommerce"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5MXG-XJXM-9C6M

Vulnerability from github – Published: 2025-08-06 12:31 – Updated: 2025-08-06 12:31
VLAI
Details

CWE-620: Unverified Password Change

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-06T11:15:28Z",
    "severity": "MODERATE"
  },
  "details": "CWE-620: Unverified Password Change",
  "id": "GHSA-5mxg-xjxm-9c6m",
  "modified": "2025-08-06T12:31:20Z",
  "published": "2025-08-06T12:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46389"
    },
    {
      "type": "WEB",
      "url": "https://www.gov.il/en/departments/dynamiccollectors/cve_advisories_listing?skip=0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R3C-CQ8H-C6GX

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2026-04-08 21:31
VLAI
Details

The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-27T00:15:08Z",
    "severity": "HIGH"
  },
  "details": "The Profile Builder \u2013 User Profile \u0026 User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets  in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.",
  "id": "GHSA-5r3c-cq8h-c6gx",
  "modified": "2026-04-08T21:31:49Z",
  "published": "2023-07-06T19:24:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2297"
    },
    {
      "type": "WEB",
      "url": "https://lana.codes/lanavdb/512e7307-04a5-4d8b-8f79-f75f37784a9f"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2864329%40profile-builder\u0026new=2864329%40profile-builder\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2023/03/vulnerability-patched-in-cozmolabs-profile-builder-plugin-information-disclosure-leads-to-account-takeover"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e731292a-4f95-46eb-889e-b00d58f3444e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5XRP-299Q-MXXJ

Vulnerability from github – Published: 2025-05-20 06:32 – Updated: 2025-05-20 06:32
VLAI
Details

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4322"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-20T06:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.",
  "id": "GHSA-5xrp-299q-mxxj",
  "modified": "2025-05-20T06:32:18Z",
  "published": "2025-05-20T06:32:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4322"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61820ca5-5548-4155-b350-df3db1bc1661?source=cve"
    },
    {
      "type": "WEB",
      "url": "http://themeforest.net/item/motors-car-dealership-wordpress-theme/13987211"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68RV-4J98-W7CQ

Vulnerability from github – Published: 2025-03-01 09:30 – Updated: 2025-03-01 09:30
VLAI
Details

The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-01T07:15:10Z",
    "severity": "HIGH"
  },
  "details": "The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password through the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account.",
  "id": "GHSA-68rv-4j98-w7cq",
  "modified": "2025-03-01T09:30:28Z",
  "published": "2025-03-01T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13373"
    },
    {
      "type": "WEB",
      "url": "https://themeforest.net/item/exertio-freelance-marketplace-wordpress-theme/30602587"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/897ce9a9-8b3e-40bc-9815-c55cc7a838f9?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

When prompting for a password change, force the user to provide the original password in addition to the new password.

Mitigation
Architecture and Design

Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

No CAPEC attack patterns related to this CWE.