Impact
The Emergency Password Reset plugin contains a CSRF flaw that allows a malicious site to send forced requests to a WordPress site. Based on the description, it is inferred that an attacker could impersonate a logged‑in administrator and perform any action that the user’s session permits, without needing credentials. The weakness is classified as CWE‑352, indicating missing or insufficient anti‑CSRF protections. The severity, a CVSS score of 4.3, indicates moderate risk and no indication of a high‑profile exploit.
Affected Systems
Versions of Andy Moyle’s Emergency Password Reset ranging from its initial release through 8.0 are affected. WordPress installations running any of those releases are vulnerable.
Risk and Exploitability
The CVSS score of 4.3 marks the vulnerability as moderate. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited evidence of exploitation. Based on the description, the likely attack vector is that a user authenticated to the site must visit a malicious page that submits the forged request. There are no other exploit prerequisites noted.
OpenCVE Enrichment