Description
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
Published: 2026-06-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In WordPress installations that use the SignUp & SignIn plugin, the AJAX handler for password changes is exposed to unauthenticated users. The handler performs no nonce verification, no capability check and uses a loose equality comparison between an attacker supplied code and the target user’s stored reset code. When the user has never requested a password reset, this stored value is empty, so an absent or empty attacker supplied code satisfies the check. Consequently a remote actor can send a crafted POST request to admin-ajax.php with action=pravel_change_password, specify the target user’s ID and a new password, and alter that user’s login credentials. The attacker can then authenticate as that user, including administrator accounts, achieving full privilege escalation.

Affected Systems

All WordPress sites that have installed the SignUp & SignIn plugin version 1.0.0 or earlier are affected. The vulnerability exists in the plugin’s AJAX endpoint which is registered with wp_ajax_nopriv_pravel_change_password and is reachable by any user, regardless of authentication status.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, reflecting a high severity for confidentiality, integrity, and availability for the affected site. No EPSS score is publicly available, and the issue is not listed in CISA’s KEV catalog. The attack vector is remote, requiring only an unauthenticated POST request to the plugin’s AJAX endpoint; no additional credentials or privileges are necessary. Successful exploitation allows an attacker to take over any account on the site, with potential to gain administrator-level access.

Generated by OpenCVE AI on June 24, 2026 at 09:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SignUp & SignIn plugin to the latest release that fixes the password reset validation flaw.
  • If an update is not yet available, temporarily disable the plugin or remove the wp_ajax_nopriv_pravel_change_password handler by editing the plugin code or class functions.
  • Force all existing users, especially administrators, to change to strong, unique passwords immediately after applying the mitigation.

Generated by OpenCVE AI on June 24, 2026 at 09:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
Title SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:29.852Z

Reserved: 2026-06-16T16:02:39.731Z

Link: CVE-2026-12417

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:45:14Z

Weaknesses
  • CWE-640

    Weak Password Recovery Mechanism for Forgotten Password