CVE-2025-1764

Name of the Vulnerable Software and Affected Versions: LoginPress | wp-login Custom Login Page Customizer plugin for WordPress versions up to, and including, 3.3.1

Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the custom plugin set option function. This allows unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, potentially granting them administrative user access. The WPBRIGADE SDK DEV MODE constant must be set to true to exploit the issue. Attackers can trick a site administrator into performing an action, such as clicking on a link, to leverage this exploit and update the default role for registration to administrator, enabling user registration.

Recommendations: For versions up to, and including, 3.3.1, update to a version that includes the fix for the nonce validation issue in the custom plugin set option function. As a temporary workaround, consider setting the WPBRIGADE SDK DEV MODE constant to false to prevent exploitation. Restrict access to the custom plugin set option function to minimize the risk of exploitation until a patch is available.