CVE-2025-47646: 
WordPress vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-47646) has been identified in the WordPress PSW Front-end Login & Registration plugin affecting versions up to 1.13. The vulnerability is classified as a Weak Password Recovery Mechanism for Forgotten Password, which was discovered by researcher LVT-tholv2k on March 29, 2025, and publicly disclosed on May 8, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This scoring indicates network accessibility, low attack complexity, no privileges required, and no user interaction needed. The vulnerability is categorized under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) (Patchstack).

This vulnerability can be exploited by malicious actors to perform actions typically restricted to higher privileged users. The critical severity rating suggests that successful exploitation could potentially lead to complete compromise of the system, allowing attackers to gain administrative access to the affected WordPress websites (Wiz).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately to protect their systems (Patchstack).