CVE-2025-2005: 
WordPress vulnerability analysis and mitigation

The Front End Users plugin for WordPress contains an arbitrary file upload vulnerability (CVE-2025-2005) discovered on February 4, 2025. The vulnerability affects all versions up to and including 3.2.32 due to missing file type validation in the file uploads field of the registration form (NVD).

The vulnerability stems from missing file type validation in the file uploads field of the registration form, which allows unauthenticated attackers to upload arbitrary files to the affected site's server. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site's server, which could potentially lead to remote code execution. This gives attackers complete control over the affected system, potentially compromising the confidentiality, integrity, and availability of the WordPress installation (NVD).

Users should immediately update the Front End Users plugin to a version newer than 3.2.32 once available. Until a patch is released, site administrators should consider disabling the plugin or implementing additional security controls around file uploads (NVD).