GHSA-qhrf-5rv2-gph8CriticalCVSS 9.8

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all...

Published
July 8, 2026
Last Modified
July 8, 2026

🔗 CVE IDs covered (1)

📋 Description

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the eventer_verification_code user meta field when a user requests a password reset. The plaintext key stored in wp_usermeta can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.

🔗 References (4)