CVE-2025-4473: 
WordPress vulnerability analysis and mitigation

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation in versions 1.0 to 2.2.7. The vulnerability was discovered and disclosed on May 13, 2025, and affects the plugin's ajax_request() function. This security issue allows authenticated attackers with Subscriber-level access or above to control the plugin's email sending configuration (NVD, Wiz).

The vulnerability stems from a missing capability check in the ajax_request() function located in the plugin's route/class-fed-request.php file. The CVSS v3.1 base score is 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-285 (Improper Authorization) (NVD).

By exploiting this vulnerability, authenticated attackers can modify the SMTP settings to point to their own server, allowing them to intercept password reset emails intended for administrators. This can lead to privilege escalation and potentially full site takeover (Wiz).

The vulnerability has been patched in version 2.2.8, released on May 9, 2025. Site administrators are strongly advised to update to this version immediately (WordPress Plugin).