CWE-620
Unverified Password Change
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
We have discovered 2,455 live websites that are affected by CWE-620.
CVEs
- Count - 8
CWE References
Website Distribution by Country
Number of websites using CWE-620 United States | 525 websites |
 Italy | 190 websites |
 Germany | 174 websites |
 GB | 125 websites |
 Spain | 117 websites |
 France | 117 websites |
 Netherlands | 95 websites |
 South Africa | 59 websites |
 Poland | 55 websites |
 Russia | 54 websites |
Website Distribution by TLD
Number of websites using CWE-620| .com | 1,024 websites |
| .it | 158 websites |
| .co.uk | 75 websites |
| .de | 74 websites |
| .nl | 73 websites |
| .com.br | 50 websites |
| .es | 49 websites |
| .pl | 46 websites |
| .com.au | 45 websites |
| .ru | 42 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-620| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Jul, 2025 | CVE-2025-4606 | Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover | 1 |
| Jun, 2025 | CVE-2025-5482 | Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber) Privilege Escalation | 42 |
| May, 2025 | CVE-2025-4322 | Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover | 1,912 |
| May, 2025 | CVE-2025-47938 | TYPO3 Vulnerable to Unverified Password Change for Backend Users | 3 |
| Apr, 2025 | CVE-2025-3607 | Frontend Login and Registration Blocks <= 1.0.7 - Authenticated (Subscriber+) Privilege Escalation via Password Reset | 3 |
| Mar, 2025 | CVE-2024-12824 | Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change | 1 |
| Sep, 2024 | CVE-2024-8794 | BA Book Everything <= 1.6.20 - Unauthenticated Arbitrary User Password Reset | 387 |
| Sep, 2022 | CVE-2022-3152 | Unverified Password Change in phpfusion/phpfusion | 106 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-620| Discovered | CVE | Description | Websites |
|---|---|---|---|
| May, 2025 | CVE-2025-4322 | Motors <= 5.6.67 - Unauthenticated Privilege Escalation via Password Update/Account Takeover | 1,912 |
| Sep, 2024 | CVE-2024-8794 | BA Book Everything <= 1.6.20 - Unauthenticated Arbitrary User Password Reset | 387 |
| Sep, 2022 | CVE-2022-3152 | Unverified Password Change in phpfusion/phpfusion | 106 |
| Jun, 2025 | CVE-2025-5482 | Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber) Privilege Escalation | 42 |
| Apr, 2025 | CVE-2025-3607 | Frontend Login and Registration Blocks <= 1.0.7 - Authenticated (Subscriber+) Privilege Escalation via Password Reset | 3 |
| May, 2025 | CVE-2025-47938 | TYPO3 Vulnerable to Unverified Password Change for Backend Users | 3 |
| Mar, 2025 | CVE-2024-12824 | Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change | 1 |
| Jul, 2025 | CVE-2025-4606 | Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover | 1 |
Websites affected by CWE-620
Top websites that are affected by CWE-620. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***************.com | United States | ***,*** | |
| *********.com | Germany | ***,*** | |
| **************.com | United States | ***,*** | |
| *********.com | United States | ***,*** | |
| ****.*************.com | United States | ***,*** | |
| ***************.com | United States | ***,*** | |
| *************.com | United States | *,***,*** | |
| ************.com | United States | *,***,*** | |
| ***************.de | Germany | *,***,*** | |
| *********.fr | France | *,***,*** |