Anyone can import CSV file. Pie Register will import users from this file.
Password is random because of wp_generate_password().
We cannot reset password because imported account doesn’t have “active” flag set to true.
Anyone can set “active” flag to true if knows user id.
Proof of Concept:
Create CSV file based on given example:
Import account using:
Create another standard account using
After login go to
wp-admin/profile.php and search
"uid" in page source.
"uid" is our current account id. For example:
We can assume that previously imported admin account has
x is natural number).
We can activate this account using:
Finally we can reset password using:
- 16-10-2014: Discovered
- 06-11-2014: Vendor notified
- 18-11-2014: Second notification
- 12-12-2014: Version 2.0.14 released, issue resolved