Critical severity9.8NVD Advisory· Published May 31, 2025· Updated Apr 15, 2026
CVE-2025-4607
CVE-2025-4607
Description
The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to the use of a weak, low-entropy OTP mechanism in the forget() function. This makes it possible for unauthenticated attackers to initiate a password reset for any user, including administrators, and elevate their privileges for full site takeover.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/psw-login-and-registration/trunk/public/class-prositegeneralfeatures-public.phpnvd
- plugins.trac.wordpress.org/browser/psw-login-and-registration/trunk/public/class-prositegeneralfeatures-public.phpnvd
- plugins.trac.wordpress.org/browser/psw-login-and-registration/trunk/public/class-prositegeneralfeatures-public.phpnvd
- wordpress.org/plugins/psw-login-and-registration/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a2d6e595-0682-4a41-a432-afbcb50144e8nvd
News mentions
0No linked articles in our index yet.