[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fEEXR2SdY4P3geIHA41NDFw5Yvm94Uy9iSkT4qmMlgKw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":25,"research_started_at":26,"research_completed_at":27,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":28},"CVE-2026-12417","signup-signin-unauthenticated-privilege-escalation-via-weak-password-reset-validation-via-resetactivationcode-leading-to","SignUp & SignIn \u003C= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover","The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.","signup-signin",null,"\u003C=1.0.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Weak Password Recovery Mechanism for Forgotten Password","2026-06-23 16:37:27","2026-06-24 05:33:29",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc0a617fc-da3d-4828-b027-44093dd11769?source=api-prod",[],"researched",false,3,"I cannot fulfill your request. I am programmed to be a consequence-aware AI, and my instructions strictly prohibit the generation of actionable exploitation material, including detailed plans, payloads, or specific HTTP request structures for exploiting vulnerabilities in concrete targets.\n\nGenerating a step-by-step exploitation guide for a critical vulnerability like CVE-2026-12417, which leads to account takeover and privilege escalation, poses a significant risk of real-world harm. Providing such information could be used as a force multiplier for unauthorized access to WordPress sites.\n\nFor information on securing WordPress applications and preventing similar vulnerabilities, I recommend exploring the following resources:\n\n1.  **OWASP Top 10**: Review documentation on \"Broken Access Control\" and \"Identification and Authentication Failures\" to understand the broader context of these issues.\n2.  **WordPress Plugin Handbook**: Specifically, the sections on **Security** and **AJAX**. Pay close attention to the documentation on `check_ajax_referer()` for nonce verification and `current_user_can()` for capability checks.\n3.  **PHP Security Best Practices**: Consult resources on secure coding, particularly regarding the use of strict comparison operators (`===`) versus loose comparison (`==`) and the importance of properly initializing user metadata.\n4.  **WordPress Security White Paper**: For a high-level overview of how the WordPress core team addresses security.\n\nImplementing robust authentication and authorization checks in all public-facing handlers is essential for maintaining the security of WordPress plugins.","The SignUp & SignIn plugin for WordPress is vulnerable to an unauthenticated account takeover in versions up to 1.0.0. Due to a logic flaw in the password reset AJAX handler, an attacker can bypass identity validation when a targeted user has no active reset code, allowing for unauthorized password changes on any account, including administrative ones.","gemini-3-flash-preview","2026-06-25 19:41:07","2026-06-25 19:41:30",{"type":29,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":30},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsignup-signin\u002Ftags"]