cbcvebase.
CVE-2025-47646
published 2025-05-23

CVE-2025-47646: Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
21.75%
97.3th percentile
Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration psw-login-and-registration allows Password Recovery Exploitation.This issue affects PSW Front-end Login & Registration: from n/a through <= 1.13.

Affected

1 ranges
VendorProductVersion rangeFixed in
gilblas_ngunte_possipsw_front-end_login_registration<= 1.13

Detection & IOCsextracted from sources · hover to see the quote

url/wp-login.php
url/wp-admin/admin-ajax.php
path/wp-content/plugins/psw-login-and-registration
commandfirst_name={{username}}&last_name={{username}}&new_user_name={{username}}&new_user_email={{email}}&new_user_password={{password}}&new_user_password_confirmation={{password}}&action=register_user_front_end&psw_form={{token}}
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the parameter action=register_user_front_end, which is the AJAX action used to register accounts via the vulnerable plugin.
  • Presence of the form field 'pswforgetform' in page responses indicates the vulnerable PSW Front-end Login & Registration plugin is active; monitor for token extraction attempts via regex on this field.
  • Fingerprint the vulnerable plugin on a target by checking the response body of /wp-login.php for the strings 'psw_registration', 'pswlogform', and '/wp-content/plugins/psw-login-and-registration' simultaneously.
  • A successful exploitation response to the admin-ajax.php registration request will contain both the registered username and the string 'activation link' with HTTP 200 status.
  • Monitor for the X-Requested-With: XMLHttpRequest header combined with Content-Type: application/x-www-form-urlencoded on POST requests to /wp-admin/admin-ajax.php as part of the attack pattern.
  • ·The vulnerability affects PSW Front-end Login & Registration versions up to and including 1.13; version 1.14 or later contains the fix.
  • ·The attack is unauthenticated and exploitable remotely with no user interaction required (CVSS 9.8 Critical), meaning no authentication bypass is needed prior to exploitation.
  • ·The Nuclei template is marked 'intrusive' — running it against a target will attempt actual account registration and may create user accounts on the target WordPress site.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.