CVE-2020-36176

HIGH

iThemes Security < 7.7.0 - Improper Authentication via Password Change Bypass

Title source: llm
STIX 2.1

Description

The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs.

References (1)

Core 1
Core References
Product, Release Notes, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/better-wp-security/#developers

Scores

CVSS v3 7.5
EPSS 0.0129
EPSS Percentile 66.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-287
Status published
Products (1)
ithemes/ithemes_security < 7.7.0
Published Jan 06, 2021
Tracked Since Feb 18, 2026