The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to the use of a weak, low-entropy OTP mechanism in the forget() function. This makes it possible for unauthenticated attackers to initiate a password reset for any user, including administrators, and elevate their privileges for full site takeover.
The forget() function responsible for password reset generates a one-time OTP code using a low-entropy mechanism (CWE-330), making the code susceptible to guessing or brute-force attacks. An unauthenticated attacker can initiate a password reset procedure for any account, and then — through the customer_registration() function — take control of that account. Successful exploitation of the vulnerability leads to privilege escalation and complete website takeover.
An attacker without any privileges can take over a WordPress administrator account and gain full control over the website, including access to data, content modification, and the ability to install malicious software.
Update the PSW Front-end Login & Registration plugin to a version higher than 1.12 according to information available in the WordPress repository. Until the update is applied, it is recommended to disable or uninstall the plugin.
PSW Front-end Login & Registration plugin for WordPress in all versions up to and including 1.12.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H