PT-2026-55864 · WordPress · Allcoach

Pedro Pinho

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-10830

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions AllCoach versions prior to 1.0.2
Description The plugin fails to verify if an email address submitted to a public account-registration endpoint is already associated with an existing user before overwriting that user's password. This allows unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the website.
Recommendations Update to version 1.0.2 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-10830

Affected Products

Allcoach