Common Weakness Enumeration

CWE-620

Allowed

Unverified Password Change

Abstraction: Base · Status: Draft

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.

157 vulnerabilities reference this CWE, most recent first.

CVE-2025-14751 (GCVE-0-2025-14751)

Vulnerability from cvelistv5 – Published: 2026-01-22 21:42 – Updated: 2026-01-26 21:02
VLAI
Title
Unverified Password Change in Weintek cMT X Series HMI EasyWeb Service
Summary
A low-privileged user can bypass account credentials without confirming the user's current authentication state, which may lead to unauthorized privilege escalation.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
References
Impacted products
Vendor Product Version
Weintek cMT3072XH Affected: 20200630 , < 20241112 (custom)
Create a notification for this product.
Weintek cMT3072XH(T) Affected: 20200630 , < 20241112 (custom)
Create a notification for this product.
Weintek cMT-SVRX-820 Affected: 20220413 , < 20240919 (custom)
Create a notification for this product.
Weintek cMT-CTRL01 Affected: 20230308 , < 20250827 (custom)
Create a notification for this product.
Credits
Joel Aviad Ossi of WebSec B.V reported these vulnerabilities to CISA.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14751",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-26T21:01:59.502514Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-26T21:02:09.222Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "cMT3072XH",
          "vendor": "Weintek",
          "versions": [
            {
              "lessThan": "20241112",
              "status": "affected",
              "version": "20200630",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "cMT3072XH(T)",
          "vendor": "Weintek",
          "versions": [
            {
              "lessThan": "20241112",
              "status": "affected",
              "version": "20200630",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "cMT-SVRX-820",
          "vendor": "Weintek",
          "versions": [
            {
              "lessThan": "20240919",
              "status": "affected",
              "version": "20220413",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "cMT-CTRL01",
          "vendor": "Weintek",
          "versions": [
            {
              "lessThan": "20250827",
              "status": "affected",
              "version": "20230308",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joel Aviad Ossi of WebSec B.V reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A low-privileged user can bypass account credentials without confirming the user\u0027s current authentication state, which may lead to unauthorized privilege escalation.\u003cbr\u003e"
            }
          ],
          "value": "A low-privileged user can bypass account credentials without confirming the user\u0027s current authentication state, which may lead to unauthorized privilege escalation."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T21:42:50.871Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "government-resource"
          ],
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Weintek recommends users implement the following mitigation techniques: \u003cbr\u003e\u003cbr\u003e* cMT3072XH: Version 20241112\u003cbr\u003e* cMT3072XH(T): Version 20241112\u003cbr\u003e* cMT-SVRX-820: Version 20240919\u003cbr\u003e* cMT-CTRL01: Version 20250827\u003cbr\u003e\u003cbr\u003eFor more information, see Weintek\u0027s planned notice: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://dl.weintek.com/public/Document/TEC/TEC25003E_cMT_EasyWeb_V2_Security_Issues.pdf\"\u003ehttps://dl.weintek.com/public/Document/TEC/TEC25003E_cMT_EasyWeb_V2_Security_Issues.pdf\u003c/a\u003e\u003cbr\u003e"
            }
          ],
          "value": "Weintek recommends users implement the following mitigation techniques: \n\n* cMT3072XH: Version 20241112\n* cMT3072XH(T): Version 20241112\n* cMT-SVRX-820: Version 20240919\n* cMT-CTRL01: Version 20250827\n\nFor more information, see Weintek\u0027s planned notice:  https://dl.weintek.com/public/Document/TEC/TEC25003E_cMT_EasyWeb_V2_Security_Issues.pdf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Unverified Password Change in Weintek cMT X Series HMI EasyWeb Service",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-14751",
    "datePublished": "2026-01-22T21:42:50.871Z",
    "dateReserved": "2025-12-15T20:40:05.015Z",
    "dateUpdated": "2026-01-26T21:02:09.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13148 (GCVE-0-2025-13148)

Vulnerability from cvelistv5 – Published: 2025-12-11 19:48 – Updated: 2025-12-11 20:34
VLAI
Title
IBM Aspera Orchestrator Unverified Password Change
Summary
IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
ibm
References
URL Tags
https://www.ibm.com/support/pages/node/7254434 vendor-advisorypatch
Impacted products
Vendor Product Version
IBM Aspera Orchestrator Affected: 4.0.0 , ≤ 4.1.0 (semver)
    cpe:2.3:a:ibm:aspera_orchestrator:4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:ibm:aspera_orchestrator:4.1.0:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13148",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-11T20:28:26.053165Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-11T20:34:48.865Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:ibm:aspera_orchestrator:4.0.0:*:*:*:*:*:*:*",
            "cpe:2.3:a:ibm:aspera_orchestrator:4.1.0:*:*:*:*:*:*:*"
          ],
          "product": "Aspera Orchestrator",
          "vendor": "IBM",
          "versions": [
            {
              "lessThanOrEqual": "4.1.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password.\u003c/p\u003e"
            }
          ],
          "value": "IBM Aspera Orchestrator 4.0.0 through 4.1.0 could allow could an authenticated user to change the password of another user without prior knowledge of that password."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-11T19:48:18.992Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://www.ibm.com/support/pages/node/7254434"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRemediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading: Product Version Platform Link to Fix IBM Aspera Orchestrator 4.1.1 Linux click here\u003c/p\u003e"
            }
          ],
          "value": "Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading: Product Version Platform Link to Fix IBM Aspera Orchestrator 4.1.1 Linux click here"
        }
      ],
      "title": "IBM Aspera Orchestrator Unverified Password Change",
      "x_generator": {
        "engine": "ibm-cvegen"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2025-13148",
    "datePublished": "2025-12-11T19:48:18.992Z",
    "dateReserved": "2025-11-13T20:10:16.726Z",
    "dateUpdated": "2025-12-11T20:34:48.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11235 (GCVE-0-2025-11235)

Vulnerability from cvelistv5 – Published: 2026-01-06 22:16 – Updated: 2026-01-07 16:25
VLAI
Title
MOVEit Transfer REST API does not require current password in order to initiate the password change process
Summary
Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
Impacted products
Vendor Product Version
Progress MOVEit Transfer Affected: 2023.1.0 , < 2023.1.3 (semver)
Affected: 2023.0.0 , < 2023.0.8 (semver)
Affected: 2022.1.0 , < 2022.1.11 (semver)
Affected: 2022.0.0 , < 2022.0.10 (semver)
Create a notification for this product.
Credits
Aden Yap Chuen Zhen, BAE SYSTEM Digital Intelligence
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11235",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-07T16:24:49.767769Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T16:25:41.732Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "REST API"
          ],
          "platforms": [
            "Windows"
          ],
          "product": "MOVEit Transfer",
          "vendor": "Progress",
          "versions": [
            {
              "lessThan": "2023.1.3",
              "status": "affected",
              "version": "2023.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2023.0.8",
              "status": "affected",
              "version": "2023.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2022.1.11",
              "status": "affected",
              "version": "2022.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "2022.0.10",
              "status": "affected",
              "version": "2022.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Aden Yap Chuen Zhen, BAE SYSTEM Digital Intelligence"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.\u003c/p\u003e"
            }
          ],
          "value": "Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-06T22:16:48.036Z",
        "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "shortName": "ProgressSoftware"
      },
      "references": [
        {
          "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "MOVEit Transfer REST API does not require current password in order to initiate the password change process",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
    "assignerShortName": "ProgressSoftware",
    "cveId": "CVE-2025-11235",
    "datePublished": "2026-01-06T22:16:48.036Z",
    "dateReserved": "2025-10-01T19:09:58.385Z",
    "dateUpdated": "2026-01-07T16:25:41.732Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-10159 (GCVE-0-2025-10159)

Vulnerability from cvelistv5 – Published: 2025-09-09 20:58 – Updated: 2025-09-10 16:10
VLAI
Summary
An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7).
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
Impacted products
Vendor Product Version
Sophos AP6 Series Wireless Access Points Affected: 0 , < 1.7.2563 (MR7) (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-10159",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-10T13:41:20.476524Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-10T16:10:07.518Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "AP6 Series Wireless Access Points",
          "vendor": "Sophos",
          "versions": [
            {
              "lessThan": "1.7.2563 (MR7)",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7).\u003c/p\u003e"
            }
          ],
          "value": "An authentication bypass vulnerability allows remote attackers to gain administrative privileges on Sophos AP6 Series Wireless Access Points older than firmware version 1.7.2563 (MR7)."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T21:02:39.875Z",
        "orgId": "526a354d-e866-4174-ae7d-bac848e5c4c5",
        "shortName": "Sophos"
      },
      "references": [
        {
          "url": "https://www.sophos.com/en-us/security-advisories/sophos-sa-20250909-ap6"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "526a354d-e866-4174-ae7d-bac848e5c4c5",
    "assignerShortName": "Sophos",
    "cveId": "CVE-2025-10159",
    "datePublished": "2025-09-09T20:58:26.650Z",
    "dateReserved": "2025-09-09T12:39:01.231Z",
    "dateUpdated": "2025-09-10T16:10:07.518Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-9286 (GCVE-0-2025-9286)

Vulnerability from cvelistv5 – Published: 2025-10-03 11:17 – Updated: 2026-04-08 16:46
VLAI
Title
Appy Pie Connect for WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password
Summary
The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
Impacted products
Vendor Product Version
hancock11 Appy Pie Connect for WooCommerce Affected: 0 , ≤ 1.1.2 (semver)
Create a notification for this product.
Credits
JohSka
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-9286",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-03T18:02:51.622311Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-03T18:03:05.831Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Appy Pie Connect for WooCommerce",
          "vendor": "hancock11",
          "versions": [
            {
              "lessThanOrEqual": "1.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "JohSka"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:46:14.529Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36fb5b8d-1ea4-45c2-8639-b229efdb57db?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/appy-pie-connect-for-woocommerce/trunk/connect-woocommerce-rest-api.php"
        },
        {
          "url": "https://wordpress.org/plugins/appy-pie-connect-for-woocommerce/"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3385150/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-02T22:31:47.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Appy Pie Connect for WooCommerce \u003c= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-9286",
    "datePublished": "2025-10-03T11:17:10.009Z",
    "dateReserved": "2025-08-20T21:29:49.417Z",
    "dateUpdated": "2026-04-08T16:46:14.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-6097 (GCVE-0-2025-6097)

Vulnerability from cvelistv5 – Published: 2025-06-16 00:00 – Updated: 2025-06-16 16:22
VLAI
Title
UTT 进取 750W Administrator Password setSysAdm formDefineManagement unverified password change
Summary
A vulnerability was found in UTT 进取 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
  • CWE-640 - Weak Password Recovery
Assigner
References
Impacted products
Vendor Product Version
UTT 进取 750W Affected: 5.0
Create a notification for this product.
Credits
pfwqdxwdd (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-6097",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-16T16:22:40.258870Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T16:22:55.742Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Administrator Password Handler"
          ],
          "product": "\u8fdb\u53d6 750W",
          "vendor": "UTT",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "pfwqdxwdd (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in UTT \u8fdb\u53d6 750W up to 5.0 and classified as critical. Affected by this issue is the function formDefineManagement of the file /goform/setSysAdm of the component Administrator Password Handler. The manipulation of the argument passwd1 leads to unverified password change. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in UTT \u8fdb\u53d6 750W bis 5.0 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion formDefineManagement der Datei /goform/setSysAdm der Komponente Administrator Password Handler. Dank Manipulation des Arguments passwd1 mit unbekannten Daten kann eine unverified password change-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "Weak Password Recovery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-16T00:00:12.840Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-312566 | UTT \u8fdb\u53d6 750W Administrator Password setSysAdm formDefineManagement unverified password change",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.312566"
        },
        {
          "name": "VDB-312566 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.312566"
        },
        {
          "name": "Submit #589425 | UTT \u8fdb\u53d6750w \u003c=V5.0 Unverified Password Change",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.589425"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/pfwqdxwdd/cve/blob/main/6.md"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/pfwqdxwdd/cve/blob/main/6.md#poc"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-15T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-06-15T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-06-15T09:01:30.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "UTT \u8fdb\u53d6 750W Administrator Password setSysAdm formDefineManagement unverified password change"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-6097",
    "datePublished": "2025-06-16T00:00:12.840Z",
    "dateReserved": "2025-06-15T06:56:23.268Z",
    "dateUpdated": "2025-06-16T16:22:55.742Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-5482 (GCVE-0-2025-5482)

Vulnerability from cvelistv5 – Published: 2025-06-04 07:21 – Updated: 2026-04-08 16:52
VLAI
Title
Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber+) Privilege Escalation
Summary
The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
Credits
Brian Sans-Souci Audrey François
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-04T13:44:24.662897Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-04T13:44:39.256Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Sunshine Photo Cart \u2013 Client Photo Gallery \u0026 Photo Proofing for Photographers",
          "vendor": "sunshinephotocart",
          "versions": [
            {
              "lessThanOrEqual": "3.4.11",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Brian Sans-Souci"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Audrey Fran\u00e7ois"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user\u0027s passwords through the password reset functionality, including administrators, and leverage that to reset the user\u0027s password and gain access to their account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:52:57.489Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5311b43c-14dd-4bdd-b6d0-d6468b831968?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/sunshine-photo-cart/trunk/includes/functions/account.php#L303"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3305406%40sunshine-photo-cart%2Ftrunk\u0026old=3261773%40sunshine-photo-cart%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-06-03T19:10:16.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Sunshine Photo Cart \u003c= 3.4.11 - Authenticated (Subscriber+) Privilege Escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-5482",
    "datePublished": "2025-06-04T07:21:45.490Z",
    "dateReserved": "2025-06-02T19:40:42.633Z",
    "dateUpdated": "2026-04-08T16:52:57.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4903 (GCVE-0-2025-4903)

Vulnerability from cvelistv5 – Published: 2025-05-19 00:31 – Updated: 2025-05-19 15:21
VLAI
Title
D-Link DI-7003GV2 webgl.asp sub_41F4F0 unverified password change
Summary
A vulnerability, which was classified as critical, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). This affects the function sub_41F4F0 of the file /H5/webgl.asp?tggl_port=0&remote_management=0&http_passwd=game&exec_service=admin-restart. The manipulation leads to unverified password change. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
  • CWE-640 - Weak Password Recovery
Assigner
References
URL Tags
https://vuldb.com/?id.309459 vdb-entrytechnical-description
https://vuldb.com/?ctiid.309459 signaturepermissions-required
https://vuldb.com/?submit.578051 third-party-advisory
https://github.com/at0de/my_vulns/blob/main/Dlink… exploit
https://www.dlink.com/ product
Impacted products
Vendor Product Version
D-Link DI-7003GV2 Affected: 24.04.18D1 R(68125)
Create a notification for this product.
Credits
153528990 (VulDB User)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4903",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T14:51:21.159992Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T15:21:59.622Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DI-7003GV2",
          "vendor": "D-Link",
          "versions": [
            {
              "status": "affected",
              "version": "24.04.18D1 R(68125)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "153528990 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, was found in D-Link DI-7003GV2 24.04.18D1 R(68125). This affects the function sub_41F4F0 of the file /H5/webgl.asp?tggl_port=0\u0026remote_management=0\u0026http_passwd=game\u0026exec_service=admin-restart. The manipulation leads to unverified password change. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."
        },
        {
          "lang": "de",
          "value": "Es wurde eine kritische Schwachstelle in D-Link DI-7003GV2 24.04.18D1 R(68125) gefunden. Betroffen hiervon ist die Funktion sub_41F4F0 der Datei /H5/webgl.asp?tggl_port=0\u0026remote_management=0\u0026http_passwd=game\u0026exec_service=admin-restart. Durch das Manipulieren mit unbekannten Daten kann eine unverified password change-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "Weak Password Recovery",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-19T00:31:04.582Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-309459 | D-Link DI-7003GV2 webgl.asp sub_41F4F0 unverified password change",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.309459"
        },
        {
          "name": "VDB-309459 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.309459"
        },
        {
          "name": "Submit #578051 | D-Link DI-7003GV2 24.04.18D1 R(68125) Improper Access Controls",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.578051"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/at0de/my_vulns/blob/main/Dlink/Di-7003GV2/webgl_asp.md"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://www.dlink.com/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-05-17T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-05-17T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-05-17T15:11:27.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "D-Link DI-7003GV2 webgl.asp sub_41F4F0 unverified password change"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-4903",
    "datePublished": "2025-05-19T00:31:04.582Z",
    "dateReserved": "2025-05-17T13:06:16.188Z",
    "dateUpdated": "2025-05-19T15:21:59.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-4606 (GCVE-0-2025-4606)

Vulnerability from cvelistv5 – Published: 2025-07-09 03:22 – Updated: 2026-04-08 17:14
VLAI
Title
Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
Summary
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
Impacted products
Vendor Product Version
uxper Sala - Startup & SaaS WordPress Theme Affected: 0 , ≤ 1.1.4 (semver)
Create a notification for this product.
Credits
Thái An
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4606",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T14:29:03.169024Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T14:29:40.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Sala - Startup \u0026 SaaS WordPress Theme",
          "vendor": "uxper",
          "versions": [
            {
              "lessThanOrEqual": "1.1.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Th\u00e1i An"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Sala - Startup \u0026 SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user\u0027s identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:14:20.075Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa385a1f-1623-4f0a-bb2f-d4564b8f91bf?source=cve"
        },
        {
          "url": "https://themeforest.net/item/sala-startup-saas-wordpress-theme/33843955?s_rank=4"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-07-08T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Sala - Startup \u0026 SaaS WordPress Theme \u003c= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-4606",
    "datePublished": "2025-07-09T03:22:04.150Z",
    "dateReserved": "2025-05-12T18:39:36.171Z",
    "dateUpdated": "2026-04-08T17:14:20.075Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-4558 (GCVE-0-2025-4558)

Vulnerability from cvelistv5 – Published: 2025-05-12 03:08 – Updated: 2025-05-12 17:40
VLAI
Title
WormHole Tech GPM - Unverified Password Change
Summary
The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user's password and use the modified password to log into the system.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-620 - Unverified Password Change
Assigner
References
Impacted products
Vendor Product Version
WormHole Tech GPM Affected: 0 , < 202502 (custom)
Create a notification for this product.
Date Public
2025-05-12 03:05
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-4558",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-12T17:36:18.250082Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-12T17:40:03.588Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "GPM",
          "vendor": "WormHole Tech",
          "versions": [
            {
              "lessThan": "202502",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2025-05-12T03:05:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user\u0027s password and use the modified password to log into the system."
            }
          ],
          "value": "The GPM from WormHole Tech has an Unverified Password Change vulnerability, allowing unauthenticated remote attackers to change any user\u0027s password and use the modified password to log into the system."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-1",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-620",
              "description": "CWE-620 Unverified Password Change",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-12T03:15:58.398Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-10114-10b4b-1.html"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.twcert.org.tw/en/cp-139-10115-f5f14-2.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u0026nbsp; Update to version 202502 or later\u003cbr\u003e"
            }
          ],
          "value": "Update to version 202502 or later"
        }
      ],
      "source": {
        "advisory": "TVN-202505010",
        "discovery": "EXTERNAL"
      },
      "title": "WormHole Tech GPM - Unverified Password Change",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2025-4558",
    "datePublished": "2025-05-12T03:08:50.733Z",
    "dateReserved": "2025-05-12T01:49:30.350Z",
    "dateUpdated": "2025-05-12T17:40:03.588Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Mitigation
Architecture and Design

When prompting for a password change, force the user to provide the original password in addition to the new password.

Mitigation
Architecture and Design

Do not use "forgotten password" functionality. But if you must, ensure that you are only providing information to the actual user, e.g. by using an email address or challenge question that the legitimate user already provided in the past; do not allow the current user to change this identity information until the correct password has been provided.

No CAPEC attack patterns related to this CWE.