A critical vulnerability exists in the FS Registration Password plugin for WordPress, allowing unauthenticated attackers to change the password of any user, including administrators. Successful exploitation could lead to a complete takeover of the affected website, resulting in data theft, service disruption, and significant reputational damage. Immediate patching is required to mitigate this high-risk threat.

The plugin contains a critical security flaw in its password update functionality. It fails to properly authenticate or validate a user's identity before processing a password change request. An unauthenticated attacker can submit a password change request for an arbitrary user account by simply knowing their username. The plugin will process this request without any verification, allowing the attacker to set a new password and gain full access to that user's account, including high-privileged administrator accounts.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could lead to a complete compromise of the organization's WordPress site. An attacker gaining administrative access can steal sensitive user data, deface the website, install malware to attack site visitors, or use the server for malicious activities like hosting phishing campaigns. The potential consequences include severe financial loss, regulatory fines for data breaches, loss of customer trust, and lasting damage to the brand's reputation.

Immediate Action: Immediately update the 'FS Registration Password' plugin for WordPress to the latest version that addresses this vulnerability. After patching, review all user accounts, especially administrator accounts, for any unauthorized password changes or suspicious activity.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to the plugin's password change endpoints, especially from unknown IP addresses. Implement security monitoring to detect and alert on unauthorized logins, unexpected creation of new administrator accounts, or modifications to core website files.

Compensating Controls: If patching is not immediately possible, disable and uninstall the 'FS Registration Password' plugin as a temporary measure. Alternatively, implement a Web Application Firewall (WAF) rule to block access to the vulnerable password change function. Enforcing Multi-Factor Authentication (MFA) for all WordPress users can also add a layer of protection against account takeover, even if a password is compromised.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of complete system compromise, this vulnerability poses an immediate and severe threat. Organizations must treat this as a top-priority security issue. The recommended course of action is to apply the vendor-supplied patch to all affected WordPress sites without delay. Until patching is complete, apply the suggested compensating controls, such as disabling the plugin, to mitigate the risk of exploitation.