Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.
The vulnerability classified as CWE-307 consists of the lack of proper limitation on the number of attempts to verify the password reset code transmitted through the WordPress REST API. An attacker can perform a brute-force attack on the password reset code by repeatedly sending requests to the API without any blocking or throttling mechanism. Combined with potentially weak PIN code generation (indicated in the references), successfully guessing the code gives the attacker the ability to take over any user account.
An attacker without any authentication can take control of any WordPress user account, including administrator accounts, leading to complete compromise of the website's confidentiality, integrity, and availability.
Update the 'Password Reset with Code for WordPress REST API' plugin to a version higher than 0.0.15. Detailed information about available patches is available in the manufacturer's references and in the Patchstack database.
The 'Password Reset with Code for WordPress REST API' plugin by Be Devious Web Development, versions from the beginning through 0.0.15 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HBedevious Password Reset With Code For WordPress Rest Api
APPBedevious< 0.0.16