The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
References
Configurations
No configuration.
History
06 Jul 2026, 13:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
06 Jul 2026, 09:10
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
06 Jul 2026, 08:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-06 08:16
Updated : 2026-07-06 18:37
NVD link : CVE-2026-10830
Mitre link : CVE-2026-10830
CVE.ORG link : CVE-2026-10830
JSON object : View
Products Affected
No product.
CWE
No CWE.
