SYS::ONLINE
Wasteland.
Briefs1132
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-9701 2026-07-08

CVE-2026-9701: Insecure Password Reset in WordPress Eventer Plugin Enables Account Takeover

"A critical flaw (CVSS 9.8) in the Eventer WordPress plugin stores password reset keys in plaintext, letting unauthenticated attackers hijack any account—including administrators—when chained with a companion SQL…"

A critical flaw (CVSS 9.8) in the Eventer WordPress plugin stores password reset keys in plaintext, letting unauthenticated attackers hijack any account—including administrators—when chained with a companion SQL injection bug.

What Is It

CVE-2026-9701 is an insecure password reset vulnerability (CWE-289, Authentication Bypass by Alternate Name) in the Eventer event manager plugin for WordPress. When a user requests a password reset, the plugin stores a plaintext copy of the reset key in the eventer_verification_code user meta field within wp_usermeta. That plaintext key can then be used with the plugin's custom reset action to set a new password for any user. The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL) with a network attack vector, low complexity, and no privileges or user interaction required.

Why It Matters

Because the reset key is stored in plaintext, an attacker who can read the wp_usermeta table can reset any account's password. The NVD record notes that when combined with another vulnerability such as SQL Injection (CVE-2026-9700), unauthenticated attackers can extract the plaintext reset key and take over any user account, including administrators—resulting in full compromise of the affected WordPress site. The vector's high confidentiality, integrity, and availability impacts reflect this total account-takeover potential.

One important caveat from the source: the password reset function only works up to PHP version 7.4.

What's Vulnerable

Patch Status

The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation and no KEV-mandated remediation deadline at this time. The NVD record (published 2026-07-08, status "Received") lists no fixed version or explicit patch guidance beyond identifying 4.4.2 and earlier as affected.

Sources