Improper Authorization

CVE-2025-4474

High

8.8/10

Summary

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin’s 'register' role setting to make new user registrations default to the administrator role, leading to an elevation of privileges to that of an administrator.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-285 - Improper Authorization

The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

Advisory Timeline

Published May 13, 2025

Improper Authorization

CVE-2025-4474

Summary

CWE-285 - Improper Authorization

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS