CVE•Published 2023-09-13•Modified 2026-04-08•0 articles on news•7 live references•NVD data

CVE-2023-4915Palmspark · Wp_user_control

Vulnerability data via NVD (ingested)

CVSS v3.1

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS percentile

Exploit Prediction Scoring System · top 67% of all CVEs

Weaknesses (CWE)

CWE-620Unverified Password Change

Description

The WP User Control plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.5.3. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (in the WP User Control Widget). The function changes the user's password after providing the email. The new password is only sent to the user's email, so the attacker does not have access to the new password.

Timeline

Published 2023-09-13

Modified 2026-04-08

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus trickest/cve VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common). Live host counts are a Premium feature.

Shodan · vuln tag

vuln:CVE-2023-4915

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · WP plugin path

http.html:"/wp-content/plugins/wp-user-control/"

Matches any site loading the "wp-user-control" plugin — doesn't rely on Shodan's vuln tag.

Shodan · product

product:"Palmspark Wp User Control"

All exposed Palmspark Wp User Control instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Wp User Control"

HTTP body or banner mentions "Wp User Control" — catches deploys Shodan didn't identify as a product.