CVE-2026-12417

EIP tracks 1 public exploit for CVE-2026-12417. PoCs published by Nxploited.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-12416 and CVE-2026-12417, which involve unauthenticated password reset vulnerabilities in WordPress plugins 'SignUp & SignIn' and 'Invoice Generator'. The exploit leverages weak validation of the 'reset_activation_code' parameter to reset passwords for arbitrary user IDs, including administrators.

The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This is due to the `pravel_change_password()` AJAX handler — registered via `wp_ajax_nopriv_pravel_change_password` and therefore accessible to unauthenticated users — performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parameter and the target user's `forgot_email` user meta value; when a user has never initiated a password reset, `get_user_meta()` returns an empty string that trivially satisfies this check against an omitted or empty attacker-supplied code. This makes it possible for unauthenticated attackers to change the password of any WordPress user, including administrators, by sending a crafted POST request to `admin-ajax.php` with `action=pravel_change_password`, `reset_user_id` set to the target account's user ID, and `new_password_custom` set to an attacker-chosen password. Successful exploitation allows the attacker to authenticate with the newly set password and fully take over the targeted account, achieving administrator-level privilege escalation on the affected site.