CVE-2026-10830
Received Received - Intake

Unauthenticated Password Reset in AllCoach WordPress Plugin

Vulnerability report for CVE-2026-10830, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: WPScan

Description

The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
allcoach wordpress_plugin to 1.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-10830 vulnerability affects the AllCoach WordPress plugin versions below 1.0.2. It allows unauthenticated attackers to take over arbitrary user accounts, including administrators, by exploiting a flaw in the account-registration process.

The issue occurs because the plugin does not verify if an email address submitted to a public registration endpoint is already linked to an existing user before resetting the user's password. This enables attackers to overwrite passwords and gain full control of the affected site.

Compliance Impact

The vulnerability allows unauthenticated attackers to reset passwords of arbitrary accounts, including administrators, and take over the site. This unauthorized access can lead to exposure or manipulation of sensitive personal data stored on the site.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure access controls.

Therefore, failure to patch this vulnerability could result in violations of these regulations due to improper privilege management and broken authentication.

Detection Guidance

This vulnerability affects the AllCoach WordPress plugin versions below 1.0.2 and involves an unauthenticated password reset via a public account-registration endpoint. Detection involves checking if your WordPress site is running the vulnerable plugin version.

To detect if the vulnerable plugin is installed and its version, you can use the following command on the server hosting the WordPress site:

  • grep -i 'allcoach' wp-content/plugins/allcoach/readme.txt
  • Or check the plugin version via WP-CLI:
  • wp plugin get allcoach --field=version

Additionally, to detect attempts to exploit this vulnerability on your network, you can monitor HTTP POST requests to the account-registration endpoint that include email addresses already associated with existing users. For example, using a network monitoring tool or web server logs, look for suspicious password reset requests.

Since the vulnerability involves unauthenticated password resets, monitoring for unusual password reset activity or multiple password reset requests for the same email address could indicate exploitation attempts.

Impact Analysis

This vulnerability can have a critical impact as it allows unauthenticated attackers to reset the passwords of arbitrary accounts, including administrator accounts.

By exploiting this flaw, attackers can take over the site, gaining full control over user accounts and potentially the entire WordPress installation.

Mitigation Strategies

To mitigate the CVE-2026-10830 vulnerability in the AllCoach WordPress plugin, users should update the plugin to version 1.0.2 or later.

This update fixes the issue where the plugin did not verify if an email address submitted to the public account-registration endpoint was already associated with an existing user before resetting the password, preventing unauthenticated attackers from taking over accounts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart