Description
member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output.
Remediation
References
Related Vulnerabilities
WordPress Plugin zeList Directory Cross-Site Scripting (0.5.11.07)
WordPress Plugin MiwoFTP-File & Folder Manager Multiple Vulnerabilities (1.0.5)
WordPress Plugin WP REST API (WP API) Cross-Site Scripting (1.2.2)
WordPress Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-14028)