Back to overview

CVE-2026-10830

HIGH
8.8
CVSS 3.1
Description
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.

Metadata

CVE ID
CVE-2026-10830
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-04 10:01 UTC
Published
2026-07-06 06:00 UTC
Last updated
2026-07-06 12:03 UTC
Vendor / Product
Unknown / AllCoach
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Unknown AllCoach 0 < 1.0.2
Weakness (CWE)
CWESourceDescription
cna CWE-269 Improper Privilege Management
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 adp CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Back to overview