A critical authentication bypass in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) lets unauthenticated attackers reset any user's password and seize administrator accounts.
What Is It
CVE-2026-12417 is a CVSS 9.8 (CRITICAL) authentication bypass via weak password reset validation (CWE-640) in the SignUp & SignIn plugin for WordPress by pravel. The flaw lives in the pravel_change_password() AJAX handler, which is registered through wp_ajax_nopriv_pravel_change_password and is therefore reachable by unauthenticated users. The handler performs no nonce verification and no capability check, relying only on a loose equality comparison between an attacker-supplied reset_activation_code POST parameter and the target user's forgot_email user meta value. When a user has never initiated a password reset, get_user_meta() returns an empty string that trivially satisfies the check against an omitted or empty code.
Why It Matters
The vector is network-based, requires no privileges and no user interaction, and yields full confidentiality, integrity, and availability impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). An attacker sends a crafted POST request to admin-ajax.php with action=pravel_change_password, reset_user_id set to the target's user ID, and new_password_custom set to a chosen password. They can then authenticate as that account, including an administrator, achieving full site takeover and admin-level privilege escalation.
What's Vulnerable
- Vendor: pravel
- Product: SignUp & SignIn plugin for WordPress
- Affected versions: all versions up to and including 1.0.0
Patch Status
No fixed version is identified in the supplied source material, and no required remediation action is stated. This CVE is not present in the CISA KEV catalog, so there is no confirmation of active exploitation at this time. The NVD record status is "Received" as of June 24, 2026.