vulnerability
WordPress Plugin: yith-easy-login-register-popup-for-woocommerce: CVE-2021-39331: Authorization Bypass Through User-Controlled Key
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Sep 20, 2021 | May 15, 2025 | May 15, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Sep 20, 2021
Added
May 15, 2025
Modified
May 15, 2025
Description
The YITH Easy Login and Register Popup for WooCommerce plugin for WordPress is vulnerable to authorization bypass via password reset in versions up to, and including, 1.8.0. This is due to the plugin failing to properly validate if a user is authorized to perform a password reset for the supplied user_login via the yith_welrp_form_action AJAX. This makes it possible for unauthenticated users to reset administrators password and then log in to a site using that account.
Solution
yith-easy-login-register-popup-for-woocommerce-plugin-cve-2021-39331
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.