CVE-2025-4104
published 2025-05-07CVE-2025-4104: The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post()…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
37.8th percentile
The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post() function in versions 1.0 to 2.2.6. This makes it possible for unauthenticated attackers to reset the administrator’s email and password, and elevate their privileges to that of an administrator.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vinoth06 | frontend_dashboard | 1.0 – 2.2.6 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)
suricata·2025-03-26·CVSS 6.3
CVE-2024-3721 [MEDIUM] ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)
ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TBK DVR-4104/4216 Command Injection Attempt (CVE-2024-3721)"; flow:established,to_server; http.uri; content:"/device.rsp|3f|opt|3d|sys|26|cmd|3d 5f 5f 5f|S|5f|O|5f|S|5f|T|5f|R|5f|E|5f|A|5f|MAX|5f 5f 5f|"; startswith; fast_pattern; content:"mdb|3d|"; within:20; content:"mdc|3d|"; within:20; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2024-3721; reference:url,github.com/netsecfish/tbk_dvr_command_injection; classtype:attempted-admin; sid:2061111; rev:1; metadata:affected_product DVR, attack_target IoT, tls_state plaintext, created_at 2025_03_26, cve CVE_2024_3721, deployment
No public exploits indexed.
https://plugins.trac.wordpress.org/browser/frontend-dashboard/tags/2.2.6/includes/frontend/request/login/index.php#L21https://plugins.trac.wordpress.org/browser/frontend-dashboard/tags/2.2.6/includes/frontend/request/login/register.php#L16https://plugins.trac.wordpress.org/browser/frontend-dashboard/tags/2.2.7/includes/frontend/request/login/validation.phphttps://plugins.trac.wordpress.org/changeset/3288562/https://wordpress.org/plugins/frontend-dashboard/#developershttps://www.wordfence.com/threat-intel/vulnerabilities/id/31e518a9-316b-40a4-ada7-317fb2c16766?source=cve
2025-05-07
Published