CVE-2024-8794

Name of the Vulnerable Software and Affected Versions: BA Book Everything plugin for WordPress versions up to, and including, 1.6.20

Description: The issue allows unauthenticated attackers to reset any user's passwords, including administrators, due to the reset user password() function not verifying a user's identity prior to setting a password. However, the attacker will not have access to the generated password, making privilege escalation not possible.

Recommendations: For versions up to, and including, 1.6.20, update to a version later than 1.6.20 to resolve the issue. As a temporary workaround, consider disabling the reset user password() function until a patch is available.