CVE-2024-9104

Name of the Vulnerable Software and Affected Versions UltimateAI plugin for WordPress versions up to, and including, 2.8.3

Description The issue is due to the improper empty value check and a missing default activated value check in the ultimate ai change pass function. This allows unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers.

Recommendations For UltimateAI plugin for WordPress versions up to, and including, 2.8.3, update to a version later than 2.8.3 to resolve the issue. As a temporary workaround, consider disabling the ultimate ai change pass function until a patch is available. Restrict access to the first user account to minimize the risk of exploitation.