Password Reset with Code < 0.0.17 – Insecure Password Reset Code Creation | CVE 2025-5305

Description

The plugin does not use cryptographically sound algorithms to generate OTP codes, potentially leading to account takeovers.

Proof of Concept

The plugin can be used to reset a user's account password using an OTP code sent by email. The OTP code is generated using the str_shuffle PHP function that according to PHP's documentation "does not generate cryptographically secure values, and must not be used for cryptographic purposes, or purposes that require returned values to be unguessable.".

File: bdvs-password-reset/inc/functions.php

Vulnerable function:
```
function bdpwr_generate_4_digit_code() {

        /**
        *
        * Filter the length of the code
        *
        * @param $length int the number of digits for the code
        */

        $length = apply_filters( 'bdpwr_code_length', 8 );
        $selection_string = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!£$%^&*()_+-={}[]@~\#<>?/|\\';

        /**
        *
        * Filter the selection string to use any characters you like
        *
        * @param $string str the string to select a code from
        */

        $selection_string = apply_filters( 'bdpwr_selection_string', $selection_string );

        return substr( str_shuffle( $selection_string ), 0, $length );
}
```

Password can be reset by running this in the browser console:

```
fetch('/wp-json/bdpwr/v1/reset-password', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    email: 'example@example.com'
  })
})
.then(response => response.json())
.then(data => {
  console.log(data);
})
.catch(error => {
  console.log(error);
});
```