Authentication Bypass and Account Takeover in SignUp & SignIn WordPress Plugin
CVE-2026-12417 is a critical authentication bypass vulnerability in the SignUp & SignIn plugin for WordPress affecting versions up to and including 1.0.0. The flaw is in the unauthenticated AJAX password-change handler pravel_change_password(), exposed through wp_ajax_nopriv_pravel_change_password. The handler performs no nonce verification and no capability check, and validates password reset requests using only a loose equality comparison between the attacker-controlled reset_activation_code POST parameter and the target user’s forgot_email user meta value. When the target user has never initiated a password reset, the stored meta value may be an empty string, allowing an omitted or empty reset_activation_code to satisfy the check. An unauthenticated attacker can therefore send a crafted POST request to admin-ajax.php with action=pravel_change_password, the victim’s reset_user_id, and an attacker-chosen new_password_custom value to reset the password of arbitrary users, including administrators.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
pravel_change_password at the web server or WAF layer, especially requests to admin-ajax.php containing action=pravel_change_password. Monitor for suspicious password changes, unexpected logins, and creation of new privileged accounts. Reset passwords for potentially affected users, especially administrators, and review site integrity for signs of post-compromise activity.Remediation
Patch, then assume compromise.
pravel_change_password() should be corrected by enforcing strong password reset token validation, requiring a cryptographically strong per-request reset token, performing strict validation of that token, and ensuring the handler is not exposed to unauthenticated users unless securely designed for that purpose. The code should also implement nonce verification where appropriate and enforce authorization checks consistent with the intended workflow.Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone Python exploit/scanner for two WordPress plugin vulnerabilities: CVE-2026-12416 in Invoice Generator <= 1.0.0 and CVE-2026-12417 in SignUp & SignIn <= 1.0.0. The repository contains one main code file, a README describing the vulnerabilities and workflow, and a custom license. The Python script is the operational entry point and implements concurrent mass scanning against a list of target WordPress sites. Core exploit capability: the script abuses unauthenticated WordPress AJAX handlers exposed through /wp-admin/admin-ajax.php using the actions pravel_change_password and pravel_invoice_change_password. It submits reset_user_id, an attacker-chosen new_password_custom value, and an empty reset_activation_code to trigger arbitrary password resets for guessed user IDs. The hardcoded replacement password is Nxploited@123KSa. Operational flow: for each target, the script first probes likely user IDs (1 and 2), then optionally expands to IDs 3 through 20 if needed. After a successful reset indication (matching the success string '"activation":true'), it attempts to determine the corresponding username using WordPress REST API endpoints and author enumeration techniques, then logs in through /wp-login.php. It confirms administrator access by requesting /wp-admin/users.php and checking whether the session has sufficient privileges. Confirmed admin compromises are written to scan_results/pravel_admin_success.txt. Repository structure is simple and purpose-built for exploitation rather than detection. It includes threading support via ThreadPoolExecutor for mass scanning, randomized User-Agent selection, timeout tuning, console output formatting with rich, and synchronized file/result handling. This is a real exploit with post-exploitation validation logic, not merely a detector or README-only proof of concept.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.