WordPress Plugin Vulnerabilities

WP Reset < 2.06 - Unauthenticated Sensitive Information Exposure via wf-licensing.log

Description

The plugin is vulnerable to Sensitive Information Exposure via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data.

Affects Plugins

Plugin icon
wp-reset
Fixed in 2.06

References

CVE
CVE-2025-10645
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/86741f4a-8700-45dd-8998-b3f0387c27ed

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
4d390cd0-d95a-4883-8138-e66faf258755

Timeline

Publicly Published
2025-10-06 (about 7 months ago)
Added
2025-10-06 (about 7 months ago)
Last Updated
2025-10-06 (about 7 months ago)

Other

Published
Title
Published
2023-12-18
Title
BackWPup < 4.0.4 - Unauthenticated Backup Download
Published
2025-12-23
Title
VPSUForm < 3.2.25 - Authenticated (Contributor+) Information Exposure
Published
2024-04-22
Title
StreamWeasels Twitch Integration < 1.8.0 - Unauthenticated Sensitive Information Exposure
Published
2024-07-02
Title
Hide My WP Ghost < 5.2.02 - Hidden Login Page Disclosure
Published
2025-09-22
Title
Quiz Maker < 6.7.0.66 - Unauthenticated Sensitive Information Exposure