A critical flaw in EverShop's "Forgot Password" functionality allows unauthenticated attackers to compromise any account by obtaining reset tokens directly from API responses.

The vulnerability exists in the "Forgot Password" API. When a password reset is requested, the server incorrectly includes the secret reset token in its response, allowing an unauthenticated attacker to reset the password for any email address.

This vulnerability has a CVSS score of 9.8, as it facilitates trivial account takeover for any user, including administrators. For an eCommerce platform, this leads to the potential theft of customer data, financial fraud, and total loss of platform integrity and consumer trust.

Immediate Action: Update EverShop to version 2.1.1 or later immediately to ensure password reset tokens are no longer exposed in API responses.

Proactive Monitoring: Review account activity logs for a surge in password reset requests followed by immediate logins from different locations.

Compensating Controls: If patching is delayed, consider temporarily disabling the password reset functionality or implementing strict rate-limiting on the forgot password API endpoint.

Public Exploit Available: No

The ability to take over any account without credentials makes this a critical security emergency. IT teams must prioritize the update to EverShop version 2.1.1 to protect user accounts and prevent catastrophic data breaches.