Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
CVE-2026-56081 (GCVE-0-2026-56081)
Vulnerability from cvelistv5 – Published: 2026-06-19 21:39 – Updated: 2026-06-22 17:48
VLAI
Title
Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email
Summary
Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim's email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim's identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Cap-go/capgo/security/advisori… | vendor-advisory |
| https://www.vulncheck.com/advisories/cap-go-accou… | third-party-advisory |
Impacted products
Date Public
2026-02-10 00:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-56081",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T17:48:44.967855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T17:48:49.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-j4cx-5pw6-5v5j"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "capgo",
"vendor": "Cap-go",
"versions": [
{
"lessThan": "12.128.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "12.128.2",
"versionType": "semver"
}
]
}
],
"datePublic": "2026-02-10T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cap-go before 12.128.2 contains an authentication logic flaw that lets an attacker register and control an account bound to a victim\u0027s email address before that email is verified. By enabling two-factor authentication on the pre-registered account, the attacker gains control over the account claimed under the victim\u0027s identity, allowing them to read and modify its state and enforce organization-level policies, while the legitimate user is denied access to the account tied to their own email."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T21:39:20.935Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "GHSA Advisory GHSA-j4cx-5pw6-5v5j",
"tags": [
"vendor-advisory"
],
"url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-j4cx-5pw6-5v5j"
},
{
"name": "VulnCheck Advisory: Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/cap-go-account-lockout-via-2fa-misconfiguration-on-unverified-email"
}
],
"title": "Cap-go - Account Lockout via 2FA Misconfiguration on Unverified Email",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-56081",
"datePublished": "2026-06-19T21:39:20.935Z",
"dateReserved": "2026-06-18T15:57:20.434Z",
"dateUpdated": "2026-06-22T17:48:49.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7459 (GCVE-0-2026-7459)
Vulnerability from cvelistv5 – Published: 2026-05-30 09:29 – Updated: 2026-06-01 10:33
VLAI
Title
Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint
Summary
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/<id>/react with the _fields=context query parameter and read the full context of any Simple History event — including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eskapism | Simple History – Track, Log, and Audit WordPress Changes |
Affected:
0 , ≤ 5.26.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T10:32:22.650329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T10:33:32.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple History \u2013 Track, Log, and Audit WordPress Changes",
"vendor": "eskapism",
"versions": [
{
"lessThanOrEqual": "5.26.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ly Hoang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple History \u2013 Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events/\u003cid\u003e/react with the _fields=context query parameter and read the full context of any Simple History event \u2014 including SimpleUserLogger entries that record the full password-reset email body (reset URL with the reset key) for any user. The attacker triggers a password reset for an administrator via the lost-password form, brute-forces recent event IDs through the reaction endpoint to read the resulting user_requested_password_reset_link event, extracts the reset key from context.message, and completes the password reset to take over the administrator account. Exploitation requires an administrator to have first enabled the experimental features option (simple_history_experimental_features_enabled), which is not the default."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T09:29:00.787Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95d2bf1a-0993-4553-a00e-6f555c3f15be?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L778"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L778"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-event.php#L613"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-event.php#L613"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/trunk/inc/class-wp-rest-events-controller.php#L1215"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-history/tags/5.26.0/inc/class-wp-rest-events-controller.php#L1215"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3524112/simple-history/trunk/inc/class-wp-rest-events-controller.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-29T18:22:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-29T20:38:32.000Z",
"value": "Disclosed"
}
],
"title": "Simple History \u2013 Track, Log, and Audit WordPress Changes \u003c= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7459",
"datePublished": "2026-05-30T09:29:00.787Z",
"dateReserved": "2026-04-29T18:01:43.775Z",
"dateUpdated": "2026-06-01T10:33:32.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7554 (GCVE-0-2026-7554)
Vulnerability from cvelistv5 – Published: 2026-05-01 04:45 – Updated: 2026-05-04 16:50
VLAI
Title
D-Link M60 httpd password recovery
Summary
A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/360362 | vdb-entry |
| https://vuldb.com/vuln/360362/cti | signaturepermissions-required |
| https://vuldb.com/submit/805642 | third-party-advisory |
| https://www.yuque.com/iam0range/rle72q/dhs1zsbgtm1ne0y1 | exploit |
| https://www.dlink.com/ | product |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7554",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T16:47:16.958621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:50:08.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "M60",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "1.20B02"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "iam0range (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.1,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T04:45:15.575Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-360362 | D-Link M60 httpd password recovery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/360362"
},
{
"name": "VDB-360362 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/360362/cti"
},
{
"name": "Submit #805642 | https://www.dlink.com/ M60 AX6000 Wi-Fi 6 Smart Mesh Router Firmware: V1.20B02 Translation Authentication Bypass + Encrypted Integrity Check By",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/805642"
},
{
"tags": [
"exploit"
],
"url": "https://www.yuque.com/iam0range/rle72q/dhs1zsbgtm1ne0y1"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-30T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-30T21:13:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link M60 httpd password recovery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-7554",
"datePublished": "2026-05-01T04:45:15.575Z",
"dateReserved": "2026-04-30T19:07:48.377Z",
"dateUpdated": "2026-05-04T16:50:08.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7652 (GCVE-0-2026-7652)
Vulnerability from cvelistv5 – Published: 2026-05-09 02:25 – Updated: 2026-05-12 02:20
VLAI
Title
LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism
Summary
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
15 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events |
Affected:
0 , ≤ 5.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T02:20:10.480690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T02:20:23.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
"vendor": "latepoint",
"versions": [
{
"lessThanOrEqual": "5.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Iden"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer\u0027s email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow\u0027s ability to overwrite an existing customer\u0027s email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T02:25:39.060Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1972"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1940"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3522933/latepoint/trunk/latepoint.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.5.0\u0026new_path=%2Flatepoint/tags/5.5.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T18:12:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-08T14:16:05.000Z",
"value": "Disclosed"
}
],
"title": "LatePoint \u003c= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7652",
"datePublished": "2026-05-09T02:25:39.060Z",
"dateReserved": "2026-05-01T17:56:49.365Z",
"dateUpdated": "2026-05-12T02:20:23.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9466 (GCVE-0-2026-9466)
Vulnerability from cvelistv5 – Published: 2026-05-25 14:30 – Updated: 2026-05-28 12:51
VLAI
Title
Tiandy Easy7 Integrated Management Platform API Endpoint updateUserPassword password recovery
Summary
A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365447 | vdb-entry |
| https://vuldb.com/vuln/365447/cti | signaturepermissions-required |
| https://vuldb.com/submit/813990 | third-party-advisory |
| https://ucn9h68n9289.feishu.cn/wiki/DRghw6X8piOtC… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Tiandy | Easy7 Integrated Management Platform |
Affected:
7.17.0
cpe:2.3:a:tiandy:easy7_integrated_management_platform:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9466",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T12:51:27.799585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T12:51:36.527Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:tiandy:easy7_integrated_management_platform:*:*:*:*:*:*:*:*"
],
"modules": [
"API Endpoint"
],
"product": "Easy7 Integrated Management Platform",
"vendor": "Tiandy",
"versions": [
{
"status": "affected",
"version": "7.17.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "bigbrother_man (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Tiandy Easy7 Integrated Management Platform 7.17.0. This issue affects some unknown processing of the file /rest/user/updateUserPassword of the component API Endpoint. Executing a manipulation can lead to weak password recovery. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T14:30:37.779Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365447 | Tiandy Easy7 Integrated Management Platform API Endpoint updateUserPassword password recovery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/365447"
},
{
"name": "VDB-365447 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365447/cti"
},
{
"name": "Submit #813990 | Tiandy Technologies Co., Ltd. Easy7 Integrated Management Platform 7.17.0 Weak Password Recovery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/813990"
},
{
"tags": [
"exploit"
],
"url": "https://ucn9h68n9289.feishu.cn/wiki/DRghw6X8piOtClkjBkHcfgvtnPx?from=from_copylink"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-24T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-24T11:00:48.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tiandy Easy7 Integrated Management Platform API Endpoint updateUserPassword password recovery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9466",
"datePublished": "2026-05-25T14:30:37.779Z",
"dateReserved": "2026-05-24T08:55:40.195Z",
"dateUpdated": "2026-05-28T12:51:36.527Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9609 (GCVE-0-2026-9609)
Vulnerability from cvelistv5 – Published: 2026-05-27 00:30 – Updated: 2026-05-27 12:52
VLAI
Title
QianFox FoxCMS Admin.php edit password recovery
Summary
A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-640 - Weak Password Recovery
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365682 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365682/cti | signaturepermissions-required |
| https://vuldb.com/submit/818343 | third-party-advisory |
| https://github.com/QianFox/FoxCMS/issues/3 | exploitissue-tracking |
| https://github.com/QianFox/FoxCMS/ | product |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9609",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T12:52:12.956556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T12:52:31.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:qianfox:foxcms:*:*:*:*:*:*:*:*"
],
"product": "FoxCMS",
"vendor": "QianFox",
"versions": [
{
"status": "affected",
"version": "1.2.0"
},
{
"status": "affected",
"version": "1.2.1"
},
{
"status": "affected",
"version": "1.2.2"
},
{
"status": "affected",
"version": "1.2.3"
},
{
"status": "affected",
"version": "1.2.4"
},
{
"status": "affected",
"version": "1.2.5"
},
{
"status": "affected",
"version": "1.2.6"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "lzihan (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in QianFox FoxCMS up to 1.2.6. This affects the function Edit of the file Admin.php. The manipulation leads to weak password recovery. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "Weak Password Recovery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T00:30:12.118Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365682 | QianFox FoxCMS Admin.php edit password recovery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365682"
},
{
"name": "VDB-365682 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365682/cti"
},
{
"name": "Submit #818343 | QianFox FoxCMS 1.2.6 Improper Privilege Management",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/818343"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/QianFox/FoxCMS/issues/3"
},
{
"tags": [
"product"
],
"url": "https://github.com/QianFox/FoxCMS/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-26T18:28:38.000Z",
"value": "VulDB entry last update"
}
],
"title": "QianFox FoxCMS Admin.php edit password recovery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9609",
"datePublished": "2026-05-27T00:30:12.118Z",
"dateReserved": "2026-05-26T16:23:31.182Z",
"dateUpdated": "2026-05-27T12:52:31.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Make sure that all input supplied by the user to the password recovery mechanism is thoroughly filtered and validated.
Mitigation
Phase: Architecture and Design
Description:
- Do not use standard weak security questions and use several security questions.
Mitigation
Phase: Architecture and Design
Description:
- Make sure that there is throttling on the number of incorrect answers to a security question. Disable the password recovery functionality after a certain (small) number of incorrect guesses.
Mitigation
Phase: Architecture and Design
Description:
- Require that the user properly answers the security question prior to resetting their password and sending the new password to the e-mail address of record.
Mitigation
Phase: Architecture and Design
Description:
- Never allow the user to control what e-mail address the new password will be sent to in the password recovery mechanism.
Mitigation
Phase: Architecture and Design
Description:
- Assign a new temporary password rather than revealing the original password.
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.