How severe is CVE-2025-3607?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2025-3607?

This is classified as CWE-620, which is a common weakness in software security.

CVE-2025-3607 - HIGH Severity | CVSS 8.8

Vulnerability Description

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Related Vulnerabilities

CVE-2017-14005

HIGH

CVSS:8.8(High)

An Unverified Password Change issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When setting a new password for a user, the application does not require the user to know the o...

CWE-6202017

CVE-2018-8916

HIGH

CVSS:8.8(High)

Unverified password change vulnerability in Change Password in Synology DiskStation Manager (DSM) before 6.2-23739 allows remote authenticated users to reset password without verification.

CWE-6202018

CVE-2022-21934

HIGH

CVSS:8.8(High)

Under certain circumstances an authenticated user could lock other users out of the system or take over their accounts in Metasys ADS/ADX/OAS server 10 versions prior to 10.1.5 and Metasys ADS/ADX/OAS...

CWE-6202022

CVE-2024-33699

HIGH

CVSS:8.8(High)

The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the curre...

CWE-6202024

CVE-2020-7378

CRITICAL

CVSS:9.1(Critical)

CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the passw...

CWE-6202020

CVE-2024-28143

HIGH

CVSS:8.4(High)

The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new p...

CWE-6202024