Weak Password Recovery Mechanism for Forgotten Password vulnerability in Hossein Material Dashboard material-dashboard.This issue affects Material Dashboard: from n/a through <= 1.4.6.
The vulnerability consists of a weak password recovery mechanism for forgotten passwords (Weak Password Recovery Mechanism for Forgotten Password). This mechanism is exploitable without authentication, without user interaction, and without meeting any special conditions on the attacker's side (AC:L, PR:N, UI:N). Incorrect implementation of the password recovery process allows an attacker to manipulate this process in order to take over the account.
An attacker can gain unauthorized access to user accounts, potentially including administrative accounts, leading to complete WordPress site takeover — compromising confidentiality, integrity, and data availability.
Update the Material Dashboard plugin to a version newer than 1.4.6. Details regarding the available patch should be verified according to information published by Patchstack and in the WordPress plugin repository.
WordPress Material Dashboard plugin by Hossein, versions from the beginning up to and including 1.4.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H