cleantalk
Vulnerabilities and Security Researches

WP User Manager – User Profile Builder & Membership, CVE-2021-24655

CVE, Research URL

CVE-2021-24655

Home page URL

Security reports for WP User Manager – User Profile Builder & Membership

Application

WP User Manager – User Profile Builder & Membership

Published on
Jul 17, 2022
Research Description
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.
Affected versions
max 2.6.3.
Status
vulnerable
Previous vulnerability researches
WP User Manager – User Profile Builder & Membership (CVE-2021-24655) , Jun 07, 2024
WP User Manager – User Profile Builder & Membership (CVE-2024-10537) , Nov 25, 2024
WP User Manager – User Profile Builder & Membership (CVE-2024-10216) , Nov 25, 2024
WP User Manager – User Profile Builder & Membership (CVE-2025-60245) , Nov 11, 2025
WP User Manager – User Profile Builder & Membership (CVE-2024-43336) , Aug 20, 2024
New vulnerability
JB News Ticker (CVE-2025-11804) , Nov 11, 2025
My auctions allegro (CVE-2025-10048) , Nov 11, 2025
Sertifier Certificates & Open Badges – Tutor LMS (CVE-2025-53214) , Nov 11, 2025
Toast Mobile Menu – PageSpeed Insights Friendly (CVE-2025-53238) , Nov 11, 2025
Stripe Payment forms for WordPress Plugin – WP Full Pay (CVE-2025-9322) , Nov 11, 2025