PT-2026-5248 · WordPress · Custom Login Page Customizer
Drew Webber
·
Published
2026-01-29
·
Updated
2026-01-31
·
CVE-2025-14975
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Custom Login Page Customizer WordPress plugin versions prior to 2.5.4
Description
The Custom Login Page Customizer WordPress plugin does not have a proper password reset process. This allows unauthenticated requests to reset the password of any user, given their username, potentially granting access to their account. Approximately 90,000 installations may be affected. The issue involves automated discovery and user enumeration, controlled reset-key injection, session-aware flow handling, privilege verification, modular exploitation, and concurrent processing.
Recommendations
Update the Custom Login Page Customizer WordPress plugin to version 2.5.4 or later.
Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Custom Login Page Customizer