Custom Login Page Customizer < 2.5.4 – Unauthenticated Arbitrary Password Reset | CVE 2025-14975

Description

The plugin does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account

Proof of Concept

The PoC will be displayed on February 05, 2026, to give users the time to update.

Affects Plugins

Fixed in 2.5.4

References

CVE

CVE-2025-14975

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

CVSS

8.1 (high)

Miscellaneous

Original Researcher

Drew Webber (mcdruid)

Submitter

Drew Webber (mcdruid)

Verified

Yes

WPVDB ID

a1403186-51aa-4eae-a3fe-0c559570eb93

Timeline

Publicly Published

2026-01-08 (about 21 days ago)

Added

2026-01-08 (about 20 days ago)

Last Updated

2026-01-08 (about 20 days ago)

Other

Published

Title

Published

2025-06-30

Title

Opal Estate Pro <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user'

Published

2025-08-05

Title

Reveal Listing < 3.4 - Unauthenticated Privilege Escalation

Published

2025-08-15

Title

WPGYM <= 67.7.0 - Missing Authorization to Admin Account Creation

Published

2019-11-07

Title

Funnel Builder by CartFlows < 1.3.1 - Authenticated Arbitrary Plugin Activation

Published

2016-07-08

Title

Profile Builder < 2.4.1 - Privilege Escalation