A critical vulnerability exists in the Dataverse Integration plugin for WordPress, allowing an unauthenticated attacker to reset any user's password, including administrators. This flaw, caused by a missing security check, can be easily exploited remotely to gain complete control over an affected website. This could lead to data theft, website defacement, or the distribution of malware from the compromised site.

The Dataverse Integration plugin exposes a REST API endpoint (reset_password_link) that is designed to facilitate password resets. Due to a missing authorization check, this endpoint fails to validate that the user initiating the request is authorized to perform this action. A remote, unauthenticated attacker can send a crafted request to this endpoint, specifying the username of a privileged user (e.g., an administrator), to generate a password reset link for that account. By accessing this link, the attacker can set a new password and gain complete, unauthorized control over the targeted user account.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a complete compromise of the WordPress website. An attacker gaining administrative access could steal sensitive user data, access private content, deface the website, install malicious code, or use the trusted website to launch further attacks. This poses significant risks to the organization, including data breaches, direct financial loss, severe reputational damage, and potential legal or regulatory consequences.

Immediate Action: Immediately update the Dataverse Integration plugin to the latest patched version provided by the vendor. If the plugin is not essential for business operations, the recommended course of action is to disable and uninstall it to completely remove the attack surface.

Proactive Monitoring: Monitor web server access logs (e.g., Apache, Nginx) and WordPress security logs for unusual or repeated requests to the plugin's reset_password_link REST API endpoint. Configure alerts for password reset events, especially for administrative accounts, and investigate any resets originating from unexpected IP addresses or locations.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) rule to block or restrict access to the vulnerable reset_password_link endpoint. Enforcing Multi-Factor Authentication (MFA) on all WordPress accounts, especially for administrators, can provide an additional layer of security to prevent account takeover even if a password is reset.

Public Exploit Available: false

Due to the High severity (CVSS 8.8) of this vulnerability and the potential for a complete website compromise, immediate action is required. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its characteristics make it an attractive target for attackers. We strongly recommend all organizations prioritize the immediate update of the Dataverse Integration plugin to the latest secure version. If the plugin is not in use, it should be uninstalled immediately to eliminate the risk.