The vulnerability originates from a weak password recovery mechanism in the Hossein Material Dashboard plugin. An attacker can trigger the password reset flow and set a new password for a target account without sufficient verification, enabling the attacker to assume that account’s identity and potentially gain administrative privileges within the WordPress site. This weakness aligns with CWE‑640, representing an insecure credential reset provider. The impact on confidentiality, integrity, and availability is that an attacker could take full control of the site through the compromised account.

The affected component is the Hossein Material Dashboard plugin for WordPress, with all releases up to and including version 1.4.6 being vulnerable. Any WordPress site that has not upgraded beyond 1.4.6 is at risk.

The CVSS score of 9.8 indicates a severe risk, while an EPSS of less than 1% suggests that the likelihood of observed exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the publicly accessible password reset endpoint, which requires only knowledge of a legitimate username or email address to initiate the reset process. Once the attacker sets a new password, they can log in with that account, potentially escalating privileges depending on the account’s role.