Description
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
Published: 2026-07-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AllCoach WordPress plugin before version 1.0.2 fails to verify that an email address submitted to a public account‑registration endpoint is not already associated with an existing user before overwriting that user’s password. As a result, any attacker can reset the password for any account whose email address is known, including administrators, and thereby take control of the site.

Affected Systems

WordPress sites that use the AllCoach plugin version earlier than 1.0.2 are affected. All users whose email addresses are registered on those sites are at risk, regardless of role, including administrators.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.8, indicating significant impact if exploited. However, the EPSS score is reported as less than 1 %, suggesting that exploitation is currently considered unlikely, and the flaw is not listed in CISA’s KEV catalog. Based on the description, it is inferred that attackers can target the public account‑registration endpoint without any authentication, provided they know an existing email address. The likely attack vector is that attackers either know or can discover such addresses and then trigger the password reset, allowing them to gain the privileges of the compromised account.

Generated by OpenCVE AI on July 6, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AllCoach plugin to version 1.0.2 or newer to eliminate the unsafe password reset behavior.
  • If the plugin cannot be upgraded, remove or disable the AllCoach plugin until a fix is available.
  • Restrict or block external access to the account‑registration endpoint, for example by adding authentication or firewall rules, to prevent unauthenticated password resets.
  • Monitor site logs for suspicious password reset attempts and enforce strong passwords and two‑factor authentication for all user accounts.

Generated by OpenCVE AI on July 6, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287
CWE-613

Mon, 06 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
Title AllCoach < 1.0.2 - Unauthenticated Account Takeover
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-06T12:03:51.033Z

Reserved: 2026-06-04T10:01:02.658Z

Link: CVE-2026-10830

cve-icon Vulnrichment

Updated: 2026-07-06T12:03:28.128Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T21:15:16Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-613

    Insufficient Session Expiration