Vulnerability Description
The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to the use of a weak, low-entropy OTP mechanism in the forget() function. This makes it possible for unauthenticated attackers to initiate a password reset for any user, including administrators, and elevate their privileges for full site takeover.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/psw-login-and-registration/trunk/publ
- https://plugins.trac.wordpress.org/browser/psw-login-and-registration/trunk/publ
- https://plugins.trac.wordpress.org/browser/psw-login-and-registration/trunk/publ
- https://wordpress.org/plugins/psw-login-and-registration/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2d6e595-0682-4a41-a43
FAQ
What is CVE-2025-4607?
CVE-2025-4607 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to th...
How severe is CVE-2025-4607?
CVE-2025-4607 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-4607?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.