CVE-2026-10830 in AllCoach Plugin
Summary
by MITRE • 07/06/2026
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/06/2026
The AllCoach WordPress plugin vulnerability represents a critical security flaw in user account management that directly impacts authentication integrity and system access control. This issue affects versions prior to 10.2 and stems from inadequate input validation within the public account registration endpoint. The vulnerability creates a scenario where unauthenticated attackers can exploit the plugin's weak verification mechanisms to manipulate existing user accounts without proper authorization. The flaw specifically manifests when the plugin accepts email addresses submitted through a public interface and fails to perform proper duplicate checking before executing password reset operations. This oversight allows malicious actors to target any existing account, including high-privilege administrator accounts, by simply submitting the corresponding email address to the vulnerable endpoint.
The technical implementation of this vulnerability exposes fundamental weaknesses in the plugin's security architecture and demonstrates poor adherence to secure coding practices. The lack of proper authentication checks before executing sensitive operations violates core security principles outlined in the CWE-604 category for access control bypass through public interfaces. When an attacker submits an email address through the registration endpoint, the system should verify whether that email is already associated with an existing user account and either reject the request or properly authenticate the user before proceeding with password reset operations. Instead, the plugin blindly accepts any submitted email address and proceeds to overwrite existing user credentials, effectively enabling privilege escalation attacks.
The operational impact of this vulnerability extends beyond simple credential theft, as it provides attackers with a direct pathway to full system compromise through unauthorized account takeover. An attacker can systematically target users within the WordPress installation, starting with administrator accounts to gain complete control over the site's functionality and content. This vulnerability particularly affects organizations relying on WordPress for business-critical applications where plugin security is paramount. The lack of rate limiting or additional verification mechanisms means that attackers can repeatedly attempt password resets against multiple accounts, potentially leading to account lockout scenarios or successful compromise of high-value targets. Such attacks align with ATT&CK technique T1565.001 for credential manipulation through password reset functionality.
Mitigation strategies should focus on immediate plugin updates to version 1.0.2 or later, which presumably addresses the core verification flaw. Security teams must also implement additional monitoring of registration endpoints and establish proper access controls that prevent unauthorized modifications to user accounts. Organizations should consider implementing rate limiting mechanisms on public-facing registration interfaces and conducting thorough security audits of all installed plugins to identify similar vulnerabilities. The vulnerability highlights the importance of defensive programming practices including input validation, proper authentication checks, and adherence to secure development lifecycle principles that prevent such critical flaws from reaching production environments.