๐Ÿ” CVE Alert

CVE-2026-10830

HIGH 8.8

AllCoach < 1.0.2 - Unauthenticated Account Takeover

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.

Vendor unknown
Product allcoach
Published Jul 6, 2026
Last Updated Jul 6, 2026
Stay Ahead of the Next One

Get instant alerts for unknown allcoach

Be the first to know when new high vulnerabilities affecting unknown allcoach are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / AllCoach
0 < 1.0.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/194e35d8-08ca-402d-a9bb-52383bc3dfab/

Credits

Pedro Pinho WPScan