The SignUp & SignIn plugin for WordPress is vulnerable to Authentication Bypass via Weak Password Reset Validation leading to Account Takeover in versions up to, and including, 1.0.0. This vulnerability is due to the `pravel_change_password()` AJAX handler performing no nonce verification, no capability check, and only a loose equality check between an attacker-supplied `reset_activation_code` POST parame [truncated]
The Invoice Generator plugin for WordPress, version 1.0.0 and below, contains a critical vulnerability (CVE-2026-12416) that allows unauthenticated attackers to take over any account on the site, including administrator accounts. This is achieved through a flawed password reset mechanism in the `pravel_invoice_change_password()` function, which lacks nonce verification and authorization checks. The functi [truncated]
