CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-35039

CVSS 9.8v3.1pub. 2023-12-07upd. 2026-04-28

Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-307 consists of the lack of proper limitation on the number of attempts to verify the password reset code transmitted through the WordPress REST API. An attacker can perform a brute-force attack on the password reset code by repeatedly sending requests to the API without any blocking or throttling mechanism. Combined with potentially weak PIN code generation (indicated in the references), successfully guessing the code gives the attacker the ability to take over any user account.

Impact

An attacker without any authentication can take control of any WordPress user account, including administrator accounts, leading to complete compromise of the website's confidentiality, integrity, and availability.

Mitigation & patch

Update the 'Password Reset with Code for WordPress REST API' plugin to a version higher than 0.0.15. Detailed information about available patches is available in the manufacturer's references and in the Patchstack database.

Who is affected

The 'Password Reset with Code for WordPress REST API' plugin by Be Devious Web Development, versions from the beginning through 0.0.15 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Bedevious Password Reset With Code For WordPress Rest Api

    APP
    Bedevious
    < 0.0.16
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References