CVE-2026-12417: SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover
The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an authentication bypass vulnerability in the SignUp & SignIn plugin for WordPress (versions up to and including 1.0.0). The flaw is reachable over the network with no credentials required: the plugin's password-reset AJAX handler skips nonce verification, capability checks, and meaningful code validation, meaning an attacker can reset any user's password by sending a single crafted HTTP POST request to wp-admin/admin-ajax.php. Successful exploitation gives the attacker full control over any WordPress account, including administrators, enabling complete site takeover. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Wordfence) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle this plugin. Any image found to contain SignUp & SignIn at version 1.0.0 or earlier is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 9.8 Critical and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable AJAX endpoint is exposed over the network via standard HTTP to admin-ajax.php, so the attacker must be able to reach the WordPress site over the internet or internal network.
- AuthenticationNot required
The handler is registered under wp_ajax_nopriv, meaning no account or session of any kind is needed to invoke it.
- Victim interactionNot required
The attack is fully server-side; no user needs to click a link, open a file, or take any action for exploitation to succeed.
- Attack complexityDetail
Exploitation is reliable and condition-free: a single crafted POST request is sufficient because the missing validation is structural and not dependent on timing, memory layout, or any environmental factor.
Blast Radius
- Attacker sets a chosen password on any WordPress user account, including administrator accounts, by supplying only the numeric user ID.
- Attacker authenticates with the newly set password and gains full administrative access to the WordPress dashboard.
- With administrator access, the attacker can install or modify plugins and themes, exfiltrate all site content and user data (including stored credentials and personal information), and alter or delete site content.
- All WordPress users on the affected installation are at risk of account takeover, not just a single target account.
How HarborGuard Handles This
Available on HarborGuard: this CVE is tracked continuously against all customer images containing the SignUp & SignIn plugin at version 1.0.0 or earlier. Because no upstream patch exists at the time of publication, HarborGuard monitors the Wordfence advisory feed on every ingest cycle and will trigger a patched-image rebuild automatically when a fix version is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls are available: network-policy rules that block unauthenticated external access to the wp-admin/admin-ajax.php endpoint, egress filtering to limit what a compromised WordPress instance can reach, and feature-flag or WAF-rule gating on the pravel_change_password action parameter. Where compliance policy permits, HarborGuard can surface these control recommendations as inline findings alongside the CVE alert.
- pravel / SignUp & SignIn≤ 1.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H