Description
fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user.
Remediation
References
Related Vulnerabilities
WordPress Plugin Appointments PHP Object Injection (2.2.1)
UAParser.js Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2021-4229)
Moodle Improper Validation of Integrity Check Value Vulnerability (CVE-2012-1170)
IBM RTC Permissions, Privileges, and Access Controls Vulnerability (CVE-2015-7440)
WordPress Plugin Facebook Page Feed Timeline Cross-Site Scripting (1.0)