CVE-2026-10830
AllCoach < 1.0.2 - Unauthenticated Account Takeover
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th
The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already associated with an existing user before overwriting that user's password, allowing unauthenticated attackers to reset the password of arbitrary accounts, including administrators, and take over the site.
| Vendor | unknown |
| Product | allcoach |
| Published | Jul 6, 2026 |
| Last Updated | Jul 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown allcoach
Be the first to know when new high vulnerabilities affecting unknown allcoach are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / AllCoach
0 < 1.0.2
References
Credits
Pedro Pinho WPScan