CVE-2025-3605

Name of the Vulnerable Software and Affected Versions Frontend Login and Registration Blocks plugin for WordPress versions 1.0.0 through 1.0.7

Description The issue is related to privilege escalation via account takeover. This occurs because the plugin does not properly validate a user's identity before updating their details, such as email, via the flr blocks user settings handle ajax callback() function. As a result, unauthenticated attackers can change arbitrary users' email addresses, including those of administrators, and use this to reset the user's password and gain access to their account.

Recommendations For versions 1.0.0 through 1.0.7, update to a version later than 1.0.7 to resolve the issue. As a temporary workaround, consider disabling the flr blocks user settings handle ajax callback() function until a patch is available.