[CVE-2014-9039] Wordpress: Password Reset Logic Flaw

Description

wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3 and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an email account that received a password-reset message.

CVSS 2.0 Base score

Medium (4.3)

Researcher

Tanoy Bose (Simultaneously and independently submitted by submitted by Momen Bassel and Bojan Slavkovic)

POC

Limited Disclosure

Vulnerability Tracker

Namaste.
You can know about me at my portfolio.
I follow my own Vulnerability Disclosure Policy.
Most of my work is listed here.