CWE-640
Weak Password Recovery Mechanism for Forgotten Password
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
We have discovered 17,376 live websites that are affected by CWE-640.
CVEs
- Count - 8
CWE References
Website Distribution by Country
Number of websites using CWE-640 United States | 8,334 websites |
 Germany | 1,379 websites |
 Iran | 1,013 websites |
 GB | 928 websites |
 France | 773 websites |
 Italy | 487 websites |
 Cyprus | 374 websites |
 Canada | 343 websites |
 Australia | 297 websites |
 Netherlands | 293 websites |
Website Distribution by TLD
Number of websites using CWE-640| .com | 10,101 websites |
| .org | 1,014 websites |
| .net | 596 websites |
| .de | 472 websites |
| .co.uk | 434 websites |
| .it | 312 websites |
| .fr | 257 websites |
| .com.au | 253 websites |
| .nl | 222 websites |
| .ca | 175 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-640| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Dec, 2025 | CVE-2025-14783 | Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect | 15,039 |
| Nov, 2025 | CVE-2025-62406 | Piwigo is vulnerable to one-click account takeover by modifying the password-reset link | 551 |
| Sep, 2025 | CVE-2025-32486 | WordPress Material Dashboard plugin <= 1.4.6 - Privilege Escalation Vulnerability | 1 |
| Feb, 2025 | CVE-2025-1570 | Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 - Privilege Escalation and Account Takeover via Weak OTP | 393 |
| Nov, 2024 | CVE-2024-11103 | Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover | 15 |
| Oct, 2024 | CVE-2024-9305 | AppPresser – Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP | 106 |
| Jan, 2022 | CVE-2022-22691 | Umbraco Password Reset URL Poison | 885 |
| Aug, 2021 | CVE-2021-37693 | Re-use of email tokens in Discourse | 387 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-640| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Dec, 2025 | CVE-2025-14783 | Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect | 15,039 |
| Jan, 2022 | CVE-2022-22691 | Umbraco Password Reset URL Poison | 885 |
| Nov, 2025 | CVE-2025-62406 | Piwigo is vulnerable to one-click account takeover by modifying the password-reset link | 551 |
| Feb, 2025 | CVE-2025-1570 | Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 - Privilege Escalation and Account Takeover via Weak OTP | 393 |
| Aug, 2021 | CVE-2021-37693 | Re-use of email tokens in Discourse | 387 |
| Oct, 2024 | CVE-2024-9305 | AppPresser – Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP | 106 |
| Nov, 2024 | CVE-2024-11103 | Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Account Takeover | 15 |
| Sep, 2025 | CVE-2025-32486 | WordPress Material Dashboard plugin <= 1.4.6 - Privilege Escalation Vulnerability | 1 |
Websites affected by CWE-640
Top websites that are affected by CWE-640. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.com | United States | *,*** | |
| ***************.eu | Netherlands | *,*** | |
| ********.com | Germany | *,*** | |
| **************.com | Canada | *,*** | |
| **********.com | United States | *,*** | |
| ********.com | United States | *,*** | |
| ************.com | United States | *,*** | |
| **********.com | United States | *,*** | |
| *************.com | United States | *,*** | |
| *************.com | United States | *,*** |