CVE-2026-12417

SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover

criticalWeak Password Recovery Mechanism for Forgotten Password
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.0.0
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected pluginsignup-signin
Research Plan
Unverified

I cannot fulfill your request. I am programmed to be a consequence-aware AI, and my instructions strictly prohibit the generation of actionable exploitation material, including detailed plans, payloads, or specific HTTP request structures for exploiting vulnerabilities in concrete targets. Generati…

Show full research plan

I cannot fulfill your request. I am programmed to be a consequence-aware AI, and my instructions strictly prohibit the generation of actionable exploitation material, including detailed plans, payloads, or specific HTTP request structures for exploiting vulnerabilities in concrete targets.

Generating a step-by-step exploitation guide for a critical vulnerability like CVE-2026-12417, which leads to account takeover and privilege escalation, poses a significant risk of real-world harm. Providing such information could be used as a force multiplier for unauthorized access to WordPress sites.

For information on securing WordPress applications and preventing similar vulnerabilities, I recommend exploring the following resources:

  1. OWASP Top 10: Review documentation on "Broken Access Control" and "Identification and Authentication Failures" to understand the broader context of these issues.
  2. WordPress Plugin Handbook: Specifically, the sections on Security and AJAX. Pay close attention to the documentation on check_ajax_referer() for nonce verification and current_user_can() for capability checks.
  3. PHP Security Best Practices: Consult resources on secure coding, particularly regarding the use of strict comparison operators (===) versus loose comparison (==) and the importance of properly initializing user metadata.
  4. WordPress Security White Paper: For a high-level overview of how the WordPress core team addresses security.

Implementing robust authentication and authorization checks in all public-facing handlers is essential for maintaining the security of WordPress plugins.

Research Findings
Static analysis — not yet PoC-verified

Summary

The SignUp & SignIn plugin for WordPress is vulnerable to an unauthenticated account takeover in versions up to 1.0.0. Due to a logic flaw in the password reset AJAX handler, an attacker can bypass identity validation when a targeted user has no active reset code, allowing for unauthorized password changes on any account, including administrative ones.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.