Home

Description

The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account

PUBLISHED Reserved 2025-12-19 | Published 2026-01-29 | Updated 2026-01-29 | Assigner WPScan

Problem types

CWE-269 Improper Privilege Management

Product status

Default status
unaffected

2.1.1 (semver) before 2.5.4
affected

Credits

Drew Webber (mcdruid) finder

WPScan coordinator

References

wpscan.com/...rability/a1403186-51aa-4eae-a3fe-0c559570eb93/ exploit vdb-entry technical-description

cve.org (CVE-2025-14975)

nvd.nist.gov (CVE-2025-14975)

Download JSON