PSW Front-end Login & Registration Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the PSW Front-end Login & Registration plugin for WordPress, affecting all versions through 1.12. The issue arises in the customer_registration() function, which relies on a weak, low-entropy one-time password (OTP) mechanism in the forget() function. This vulnerability allows unauthenticated attackers to initiate password resets for any user, including administrators, thereby elevating their privileges and potentially leading to a complete takeover of the site.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, enabling attackers to gain access to user accounts with elevated privileges, including administrative rights.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a password reset request to any user by exploiting the weak OTP mechanism in the 'forget' function. This request can be made through the 'customer_registration' function, which does not properly validate the authenticity of the request or the strength of the OTP being used.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.