Impact
The AllCoach WordPress plugin before version 1.0.2 fails to verify that an email address submitted to a public account‑registration endpoint is not already associated with an existing user before overwriting that user’s password. As a result, any attacker can reset the password for any account whose email address is known, including administrators, and thereby take control of the site.
Affected Systems
WordPress sites that use the AllCoach plugin version earlier than 1.0.2 are affected. All users whose email addresses are registered on those sites are at risk, regardless of role, including administrators.
Risk and Exploitability
The vulnerability carries a high CVSS score of 8.8, indicating significant impact if exploited. However, the EPSS score is reported as less than 1 %, suggesting that exploitation is currently considered unlikely, and the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers can target the public account‑registration endpoint without any authentication, provided they know an existing email address. The likely attack vector is that attackers either know or can discover such addresses and then trigger the password reset, allowing them to gain the privileges of the compromised account.
OpenCVE Enrichment