What is the severity of CVE-2025-3607?

CVE-2025-3607 is classified as a privilege escalation vulnerability that can lead to account takeover.

How do I fix CVE-2025-3607?

To fix CVE-2025-3607, update the Frontend Login and Registration Blocks plugin to the latest version beyond 1.0.7.

What versions are affected by CVE-2025-3607?

All versions of the Frontend Login and Registration Blocks plugin up to and including version 1.0.7 are affected by CVE-2025-3607.

What can an attacker do with CVE-2025-3607?

An attacker can exploit CVE-2025-3607 to take over user accounts by bypassing password validation.

Is there a temporary workaround for CVE-2025-3607?

Disabling the Frontend Login and Registration Blocks plugin until a patch can be applied can serve as a temporary workaround for CVE-2025-3607.

Vulnerability/
CVE-2025-3607

high

8.8

CWE

620

EPSS

0.039%

24/4/2025

CVE-2025-3607: Frontend Login and Registration Blocks <= 1.0.7 - Authenticated (Subscriber+) Privilege Escalation via Password Reset

First published: Thu Apr 24 2025(Updated: )

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
WordPress Frontend Login and Registration Blocks	<=1.0.7

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-3607?
CVE-2025-3607 is classified as a privilege escalation vulnerability that can lead to account takeover.
How do I fix CVE-2025-3607?
To fix CVE-2025-3607, update the Frontend Login and Registration Blocks plugin to the latest version beyond 1.0.7.
What versions are affected by CVE-2025-3607?
All versions of the Frontend Login and Registration Blocks plugin up to and including version 1.0.7 are affected by CVE-2025-3607.
What can an attacker do with CVE-2025-3607?
An attacker can exploit CVE-2025-3607 to take over user accounts by bypassing password validation.
Is there a temporary workaround for CVE-2025-3607?
Disabling the Frontend Login and Registration Blocks plugin until a patch can be applied can serve as a temporary workaround for CVE-2025-3607.

collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/references
agent/type
agent/first-publish-date
agent/description
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
collector/nvd-api
source/NVD
agent/author
agent/last-modified-date
agent/severity
agent/event
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/wordpress
canonical/wordpress frontend login and registration blocks

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.