A critical vulnerability exists in the "AS Password Field In Default Registration Form" WordPress plugin that allows any unauthenticated person on the internet to change the password for any user on an affected website, including administrators. Successful exploitation results in a complete account takeover, granting the attacker full control over the compromised website, posing a severe risk of data theft, defacement, and further attacks.

The plugin's password update functionality fails to perform any authentication or authorization checks to verify the identity of the user initiating a password change. An unauthenticated attacker can craft a specific web request targeting a user's account (e.g., by username or user ID) and submit a new password. The vulnerable plugin will process this request without validation, effectively overwriting the legitimate user's password and allowing the attacker to log in and take full control of the account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to a complete compromise of the organization's WordPress site. An attacker gaining administrator-level access can steal sensitive data (including customer information), deface the website, inject malicious code to attack site visitors, use the server for malicious activities (like hosting phishing sites or malware), and cause significant reputational and financial damage. The direct impact is a total loss of confidentiality, integrity, and availability for the affected website and its data.

Immediate Action: Immediately update "The AS Password Field In Default Registration Form" plugin to the latest version available (a version later than 2.0.0). After patching, conduct a thorough review of all user accounts, particularly those with administrative privileges, to identify and revert any unauthorized password changes or suspicious activity.

Proactive Monitoring: Monitor web server and application logs for unusual POST requests related to user profile or password updates, especially from unknown IP addresses. Scrutinize logs for multiple, rapid password change attempts against different users. Set up alerts for the creation of new administrative accounts or unexpected changes to user roles and permissions.

Compensating Controls: If patching is not immediately possible, disable and deactivate the plugin until it can be updated. If the plugin is business-critical and cannot be disabled, deploy a Web Application Firewall (WAF) rule to specifically block the malicious request pattern used to exploit the password change function. Enforcing Multi-Factor Authentication (MFA) for all administrative users can also serve as a critical mitigating control, as a compromised password alone would not be sufficient to gain access.

Public Exploit Available: False

This vulnerability represents a critical and immediate threat to any organization using the affected plugin. We strongly recommend that administrators apply the security update provided by the vendor as their highest priority. Due to the ease of exploitation, organizations should assume they are being targeted and perform a compromise assessment to search for signs of unauthorized access. Although this CVE is not currently on the CISA KEV list, its severe impact and low attack complexity make it a prime candidate for future inclusion, underscoring the urgency for immediate remediation.