CVE-2026-12417
Received Received - Intake
Authentication Bypass in SignUp & SignIn WordPress Plugin

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Wordfence

Description
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler β€” registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users β€” performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12417
EUVD
EUVD-2026-38679
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pravel signup_and_signin to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the SignUp & SignIn plugin for WordPress, versions up to and including 1.0.0. It allows unauthenticated attackers to bypass authentication by exploiting weak password reset validation.

Specifically, the AJAX handler `pravel_change_password` is accessible without authentication and lacks nonce verification and capability checks. It performs only a loose equality check between an attacker-supplied reset code and the user's stored reset code, which can be trivially bypassed if the user has never initiated a password reset.

This flaw enables attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request with the target user ID and a new password. Once exploited, the attacker can log in as that user and gain full control over the account.

Impact Analysis

This vulnerability can lead to a complete account takeover of any WordPress user on the affected site, including administrators.

An attacker can change user passwords without authentication, allowing them to gain unauthorized access and escalate privileges to administrator level.

Such unauthorized access can result in data breaches, site defacement, loss of control over the website, and potential further exploitation of the compromised system.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the WordPress admin-ajax.php endpoint with the action parameter set to pravel_change_password.

  • Check your web server logs for POST requests containing action=pravel_change_password.
  • Use command-line tools like curl or wget to simulate such requests and verify if the password can be changed without authentication.
  • Example command to detect vulnerability by attempting a password change (replace URL and parameters accordingly):
  • curl -X POST https://yourwordpresssite.com/wp-admin/admin-ajax.php -d "action=pravel_change_password&reset_user_id=1&new_password_custom=Test1234"

If the request succeeds without authentication and changes the password, the site is vulnerable.

Mitigation Strategies

Immediate mitigation steps include disabling or removing the vulnerable SignUp & SignIn plugin until a patch is available.

Restrict access to the admin-ajax.php endpoint or specifically block requests with action=pravel_change_password from unauthenticated users via web application firewall or server rules.

Monitor user accounts for unauthorized password changes and reset passwords for critical accounts if compromise is suspected.

Apply any available updates or patches from the plugin developer as soon as they are released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart