cbcvebase.
CVE-2025-3605
published 2025-05-09

CVE-2025-3605: The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
6.44%
92.9th percentile
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/frontend-login-and-registration-blocks/
commandaction=flrblocksusersettingsupdatehandle&user_id=1&flr-blocks-email-update=<email>
otheraction=flrblocksusersettingsupdatehandle
sigma
POST /wp-admin/admin-ajax.php with body containing action=flrblocksusersettingsupdatehandle
  • Monitor unauthenticated POST requests to /wp-admin/admin-ajax.php containing the AJAX action 'flrblocksusersettingsupdatehandle' with a user_id and flr-blocks-email-update parameter — this is the exact exploit payload for CVE-2025-3605.
  • A successful exploit response will contain JSON body with 'status":true' and 'Operation has been completed successfully'; alert on these strings in unauthenticated admin-ajax.php responses.
  • Detect presence of the vulnerable plugin on a WordPress site by scanning for the path /wp-content/plugins/frontend-login-and-registration-blocks/ in HTTP responses.
  • The vulnerable code path is in class-flr-blocks-user-settings.php at line 59; review or monitor file integrity of this specific file for tampering.
  • An attacker exploiting this CVE will follow up with a WordPress 'Forgot Password' request after changing the admin email; correlate admin-ajax.php POST with action=flrblocksusersettingsupdatehandle followed by a password reset request for the same user.
  • ·The vulnerability affects all plugin versions up to and including 1.1.1 per NVD, but the exploit PoC targets version <= 1.0.7; ensure detection covers the full affected range through 1.1.1.
  • ·The exploit requires no authentication (PR:N, UI:N per CVSS 9.8); WAF or authentication-gating of admin-ajax.php will not block this since the endpoint is intentionally public-facing for WordPress AJAX.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.