CVE-2020-36176

The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt