CVE-2025-4473

Name of the Vulnerable Software and Affected Versions Frontend Dashboard plugin for WordPress versions 1.0 through 2.2.7

Description The issue is related to a missing capability check in the ajax request() function, allowing authenticated attackers with Subscriber-level access or higher to control the destination of outgoing emails sent by the plugin. This could enable attackers to capture password reset emails intended for administrators by redirecting SMTP to their own server, potentially leading to a full site takeover.

Recommendations For versions 1.0 through 2.2.7, consider disabling the ajax request() function until a patch is available to prevent exploitation. Restrict access to the email configuration settings to minimize the risk of attackers redirecting SMTP to their own server. Avoid using the plugin's email functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.