CVE-2025-4474 HIGH

CVE-2025-4474: Frontend Dashboard 1.0 - 2.2.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via fed_admin_setting_form_function Function

Vendor Vinoth06
Product Frontend Dashboard
Weakness CWE-285
Published May 13, 2025
Last update May 13, 2025
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin’s 'register' role setting to make new user registrations default to the administrator role, leading to an elevation of privileges to that of an administrator.

Explanation of Vulnerability in Simple Terms

02Summary

Frontend Dashboard versions 1.0 through 2.2.7 contain an improper access control vulnerability that allows authenticated users with low privileges to read, modify, or delete sensitive data. The vulnerability requires network access and valid login credentials but no additional user interaction. An attacker can escalate their capabilities beyond their assigned role to access or alter restricted information.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete data they should not have access to based on their user role.

Potential impact on your site

04Site Impact

Authenticated users can bypass role-based restrictions to access, alter, or destroy sensitive site data.

Conditions required to exploit

05Prerequisites

Valid login credentials with low-level user privileges; network access to the application.

Key dates

06Disclosure timeline

May 13, 2025 CVE published
May 13, 2025 Record updated