This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Critical **Broken Authentication** flaw in the PSW Front-end Login & Registration plugin.β¦
π¦ **Affected**: WordPress Plugin **PSW Front-end Login & Registration**. π **Versions**: **1.13 and earlier** (specifically noted as β€ 1.12 in PoCs). π’ **Vendor**: Gilblas Ngunte Possi.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: Gain **unauthenticated** access. Register new user accounts without restriction. Escalate privileges to admin levels. Access sensitive user data and potentially take over the WordPress site.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: **LOW**. No authentication required (Unauthenticated). Low complexity (AC:L). No user interaction needed (UI:N). This is a remote, easy-to-exploit vulnerability.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploitation**: **YES**. Public PoCs exist on GitHub (e.g., Nxploited, RootHarpy). Automated scanning templates are available via ProjectDiscovery Nuclei. Wild exploitation is highly likely.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the plugin name **"PSW Front-end Login & Registration"**. Check version numbers (β€ 1.13). Use Nuclei templates for CVE-2025-47646.β¦
π **Workaround**: **Disable or Deactivate** the plugin immediately if not essential. If required, restrict access via WAF rules blocking the specific AJAX endpoints. Monitor for unauthorized user registrations closely.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: **CRITICAL**. CVSS Score **9.8** (High). Unauthenticated remote code/access risk. Immediate action required: Patch, Disable, or Mitigate. Do not ignore this vulnerability.