CVE-2025-3605
published 2025-05-09CVE-2025-3605: The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
6.44%
92.9th percentile
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
POST /wp-admin/admin-ajax.php with body containing action=flrblocksusersettingsupdatehandle
- →Monitor unauthenticated POST requests to /wp-admin/admin-ajax.php containing the AJAX action 'flrblocksusersettingsupdatehandle' with a user_id and flr-blocks-email-update parameter — this is the exact exploit payload for CVE-2025-3605. ↗
- →A successful exploit response will contain JSON body with 'status":true' and 'Operation has been completed successfully'; alert on these strings in unauthenticated admin-ajax.php responses. ↗
- →Detect presence of the vulnerable plugin on a WordPress site by scanning for the path /wp-content/plugins/frontend-login-and-registration-blocks/ in HTTP responses. ↗
- →The vulnerable code path is in class-flr-blocks-user-settings.php at line 59; review or monitor file integrity of this specific file for tampering. ↗
- →An attacker exploiting this CVE will follow up with a WordPress 'Forgot Password' request after changing the admin email; correlate admin-ajax.php POST with action=flrblocksusersettingsupdatehandle followed by a password reset request for the same user. ↗
- ·The vulnerability affects all plugin versions up to and including 1.1.1 per NVD, but the exploit PoC targets version <= 1.0.7; ensure detection covers the full affected range through 1.1.1. ↗
- ·The exploit requires no authentication (PR:N, UI:N per CVSS 9.8); WAF or authentication-gating of admin-ajax.php will not block this since the endpoint is intentionally public-facing for WordPress AJAX. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q43x-gh6j-72hr: The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and
ghsa_unreviewed·2025-05-09
CVE-2025-3605 [CRITICAL] CWE-639 GHSA-q43x-gh6j-72hr: The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
VulnCheck
Authorization Bypass Through User-Controlled Key
vulncheck·2025·CVSS 9.8
CVE-2025-3605 [CRITICAL] Authorization Bypass Through User-Controlled Key
Authorization Bypass Through User-Controlled Key
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Affected: Kadim Gültekin Frontend Login and Registration Blocks plugin for WordPress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if re
No detection rules found.
Exploit-DB
WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
exploitdb·2025-05-13·CVSS 9.8
CVE-2025-3605 [CRITICAL] WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
---
# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/
# Date: 2025-05-12
# Exploit Author: Md Shoriful Islam (RootHarpy)
# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/
# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip
# Version: <= 1.0.7
# Tested on: Ubuntu 22.04 + WordPress 6.5.2
# CVE : CVE-2025-3605
import requests
import argparse
import sys
def display_banner():
banner = """
_____ _____ ___ __ ___ ___ ____ __ __ ___
/ __\ \ / / __|_|_ ) \_ ) __|__|__ / / / / \| __|
| (__ \
Nuclei
WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
nuclei·CVSS 9.8
CVE-2025-3605 [CRITICAL] WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
Privilege escalation vulnerability exists in the Frontend Login and Registration Blocks plugin for WordPress (versions <= 1.0.7). An unauthenticated attacker can exploit the AJAX endpoint flr_blocks_user_settings_handle_ajax_callback() to change the administrator's email address. Subsequently, the attacker can use the "Forgot Password" feature to reset the administrator's password, thereby gaining unauthorized access to the admin account.
Template:
id: CVE-2025-3605
info:
name: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
author: beginee
severity: critical
description: |
Privilege escalation vulnerability exists in the Frontend Login and Registration Blocks plugi
No writeups or analysis indexed.
2025-05-09
Published
Exploited in the wild