Description
Cross-Site request forgery (CSRF) vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery.

This issue affects Emergency Password Reset: from n/a through 8.0.
Published: 2026-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Emergency Password Reset plugin contains a CSRF flaw that allows a malicious site to send forced requests to a WordPress site. Based on the description, it is inferred that an attacker could impersonate a logged‑in administrator and perform any action that the user’s session permits, without needing credentials. The weakness is classified as CWE‑352, indicating missing or insufficient anti‑CSRF protections. The severity, a CVSS score of 4.3, indicates moderate risk and no indication of a high‑profile exploit.

Affected Systems

Versions of Andy Moyle’s Emergency Password Reset ranging from its initial release through 8.0 are affected. WordPress installations running any of those releases are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 marks the vulnerability as moderate. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited evidence of exploitation. Based on the description, the likely attack vector is that a user authenticated to the site must visit a malicious page that submits the forged request. There are no other exploit prerequisites noted.

Generated by OpenCVE AI on June 18, 2026 at 14:31 UTC.

Remediation

Vendor Solution

Update the WordPress Emergency Password Reset plugin to the latest available version (at least 9.0).


OpenCVE Recommended Actions

  • Update the Emergency Password Reset plugin to the latest supported version (9.0 or later).
  • If the plugin is not required for operations, disable or uninstall it to remove the attack surface.
  • Ensure that WordPress core and other plugins enforce proper nonce usage on all state‑changing requests and monitor traffic for unexpected requests that may indicate CSRF activity.

Generated by OpenCVE AI on June 18, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Andy Moyle
Andy Moyle emergency Password Reset
Wordpress
Wordpress wordpress
Vendors & Products Andy Moyle
Andy Moyle emergency Password Reset
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Cross-Site request forgery (CSRF) vulnerability in Andy Moyle Emergency Password Reset allows Cross Site Request Forgery. This issue affects Emergency Password Reset: from n/a through 8.0.
Title WordPress Emergency Password Reset plugin <= 8.0 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}


Subscriptions

Andy Moyle Emergency Password Reset
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:30:36.673Z

Reserved: 2024-05-17T10:08:10.961Z

Link: CVE-2024-35648

cve-icon Vulnrichment

Updated: 2026-06-17T15:30:28.417Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:26Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)