PT-2025-17718 · WordPress · Frontend Login/Registration Blocks
Kenneth Dunn
·
Published
2025-04-24
·
Updated
2025-04-29
·
CVE-2025-3607
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Frontend Login and Registration Blocks plugin for WordPress versions up to, and including, 1.0.7
Description
The issue is related to privilege escalation via account takeover due to the plugin not properly validating a user's identity prior to updating a password. This allows authenticated attackers with Subscriber-level access and above to change arbitrary user's passwords, including administrators, and gain access to their account.
Recommendations
For versions up to, and including, 1.0.7, update to a version that properly validates user identity before allowing password changes, or consider disabling the password update functionality for users with Subscriber-level access and above until a patch is available.
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Frontend Login/Registration Blocks