CVE-2024-8794: CWE-620 Unverified Password Change in bookingalgorithms BA Book Everything
The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.
AI Analysis
Technical Summary
CVE-2024-8794 affects the BA Book Everything plugin for WordPress, where the reset_user_password() function fails to verify user identity before allowing a password reset. This flaw enables unauthenticated attackers to reset passwords for any user, including administrators. However, the attacker does not gain access to the generated password, limiting the impact to password reset without immediate privilege escalation. The vulnerability is present in all versions up to and including 1.6.20.
Potential Impact
An attacker can reset any user's password without authentication, potentially disrupting user access or causing denial of service for targeted accounts. Since the attacker does not receive the new password, they cannot directly escalate privileges or log in as the user without additional steps. There is no indication of confidentiality or availability impact beyond the password reset capability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided in the advisory. Users should monitor the vendor's announcements for updates and apply any forthcoming patches promptly. Until a patch is available, consider restricting access to the password reset functionality or implementing additional verification controls if possible.
CVE-2024-8794: CWE-620 Unverified Password Change in bookingalgorithms BA Book Everything
Description
The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-8794 affects the BA Book Everything plugin for WordPress, where the reset_user_password() function fails to verify user identity before allowing a password reset. This flaw enables unauthenticated attackers to reset passwords for any user, including administrators. However, the attacker does not gain access to the generated password, limiting the impact to password reset without immediate privilege escalation. The vulnerability is present in all versions up to and including 1.6.20.
Potential Impact
An attacker can reset any user's password without authentication, potentially disrupting user access or causing denial of service for targeted accounts. Since the attacker does not receive the new password, they cannot directly escalate privileges or log in as the user without additional steps. There is no indication of confidentiality or availability impact beyond the password reset capability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are provided in the advisory. Users should monitor the vendor's announcements for updates and apply any forthcoming patches promptly. Until a patch is available, consider restricting access to the password reset functionality or implementing additional verification controls if possible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-09-13T16:38:26.128Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b32b7ef31ef0b54f348
Added to database: 2/25/2026, 9:35:46 PM
Last enriched: 4/9/2026, 3:18:10 PM
Last updated: 4/12/2026, 5:12:24 AM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.