Frontend Login and Registration Blocks Privilege Escalation Vulnerability via Password Reset

A privilege escalation vulnerability allowing account takeover has been identified in the Frontend Login and Registration Blocks plugin for WordPress, affecting all versions through 1.0.7. The vulnerability arises because the plugin fails to properly verify a user's identity before allowing password changes. This flaw enables authenticated attackers with Subscriber-level access or higher to reset passwords for any user, including administrators, thereby gaining unauthorized access to their accounts.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to change passwords of other users, including administrators, leading to unauthorized access to their accounts.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the WordPress site's AJAX endpoint, specifically targeting the 'flrblocksresetpasswordhandle' action. This request must include the ID of the user whose password is to be changed, along with the new password. The absence of proper identity verification allows the password change to be processed, regardless of the user's authorization to make such a change.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.