PT-2026-55864 · WordPress · Allcoach
Pedro Pinho
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-10830
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
AllCoach versions prior to 1.0.2
Description
The plugin fails to verify if an email address submitted to a public account-registration endpoint is already associated with an existing user before overwriting that user's password. This allows unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the website.
Recommendations
Update to version 1.0.2 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Allcoach