CyberRota
← Ana sayfaya dön

CVE-2026-9701

CRITICAL · CVSS 9.8

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-08T05:16:28.977 · Çekilme zamanı: 2026-07-08T06:06:07.952949+00:00

CyberRota Yorumu

SQL Injection riski içeriyor.

CVE
CVE-2026-9701
Severity
CRITICAL
CVSS
9.8
EPSS
Yok
WordPress

Orijinal NVD Açıklaması

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the `eventer_verification_code` user meta field when a user requests a password reset. The plaintext key stored in `wp_usermeta` can be used with the plugin's custom reset action to set a new password for any user. Combined with another vulnerability such as SQL Injection (CVE-2026-9700), this makes it possible for unauthenticated attackers to extract the plaintext reset key and take over any user account, including administrators. Note: The password reset function only works up to PHP version 7.4.