CVE-2025-3605: 
WordPress vulnerability analysis and mitigation

The Frontend Login and Registration Blocks plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-3605) discovered and reported by Wordfence on May 09, 2025. The vulnerability affects all versions up to and including 1.0.7. This security issue stems from improper user identity validation in the plugin's functionality (NVD CVE, Wiz Report).

The vulnerability exists in the flrblocksusersettingshandleajaxcallback() function, which fails to properly validate user identity before allowing updates to user details, particularly email addresses. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The weakness has been classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (NVD CVE, Wiz Report).

The vulnerability enables unauthenticated attackers to change arbitrary user's email addresses, including those of administrators. Once an attacker changes a user's email address, they can leverage this to reset the user's password and gain unauthorized access to their account. This effectively enables complete account takeover and privilege escalation to administrator level (NVD CVE, Wiz Report).

Users should immediately update their Frontend Login and Registration Blocks plugin to a version newer than 1.0.7 if available. If an update is not available, it is recommended to disable the plugin until a patch is released (Wiz Report).