CVE-2024-11350

Name of the Vulnerable Software and Affected Versions AdForest theme for WordPress versions up to and including 5.1.6

Description The issue arises from the plugin not properly validating a user's identity before updating their password through the adforest reset password() function. This allows unauthenticated attackers to change arbitrary users' passwords, including administrators, and gain access to their accounts.

Recommendations For versions up to and including 5.1.6, update to a version later than 5.1.6 to resolve the issue. As a temporary workaround, consider disabling the adforest reset password() function until a patch is available. Restrict access to the password reset functionality to minimize the risk of exploitation.