vulnerability

WordPress Plugin: frontend-login-and-registration-blocks: CVE-2025-3607: Unverified Password Change

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	Apr 23, 2025	Jul 25, 2025	Jul 25, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

Apr 23, 2025

Added

Jul 25, 2025

Modified

Jul 25, 2025

Description

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Solution

frontend-login-and-registration-blocks-plugin-cve-2025-3607

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-3607
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/b06ce1e4-5cfb-415d-ad09-db194d6b4354?source=api-prod
CVE-2025-3607
https://attackerkb.com/topics/CVE-2025-3607
CWE-620

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today