CVE-2025-14975 in Custom Login Page Customizer Plugin
Summary
by MITRE • 01/29/2026
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/01/2026
The vulnerability identified as CVE-2025-14975 affects the Custom Login Page Customizer WordPress plugin version 2.5.3 and earlier, presenting a critical security flaw that undermines the authentication mechanism of WordPress installations. This weakness stems from the plugin's improper implementation of the password reset functionality, which fails to enforce proper authentication checks before allowing password reset operations. The vulnerability specifically targets the plugin's handling of user account recovery processes, creating an exploitable condition that enables unauthorized individuals to manipulate the password reset flow without legitimate authorization.
The technical flaw manifests through the absence of adequate validation mechanisms within the plugin's password reset implementation. Attackers can exploit this weakness by sending a limited number of unauthenticated requests to the plugin's password reset endpoint, providing only a target username such as an administrator account. The system fails to verify the legitimacy of these requests or implement rate limiting measures that would normally prevent automated exploitation attempts. This design oversight allows threat actors to systematically attempt password resets for known usernames, effectively bypassing the standard authentication requirements that should normally be mandatory for such sensitive operations.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating a significant risk for WordPress installations that rely on the affected plugin. When an attacker successfully resets an administrator password, they gain complete control over the affected WordPress site, enabling them to modify content, install malicious plugins, access sensitive data, and potentially use the compromised system as a launchpad for further attacks within the network. The vulnerability's exploitation requires minimal technical expertise, making it particularly dangerous as it can be leveraged by attackers with basic knowledge of web application security principles. This weakness directly violates fundamental security principles outlined in the OWASP Top Ten, specifically addressing the improper error handling and weak session management categories.
The vulnerability aligns with CWE-384, which addresses session management flaws that allow attackers to hijack user sessions or gain unauthorized access to accounts. Additionally, this issue maps to ATT&CK technique T1110.003, which covers credential stuffing and password reset attacks that exploit weak authentication controls. The lack of proper rate limiting and authentication checks in the plugin's implementation creates an environment where automated attack tools can systematically target multiple user accounts, potentially leading to account takeover scenarios. Organizations using the affected plugin version face a heightened risk of compromise, particularly in environments where administrator accounts have elevated privileges and access to sensitive system resources.
Mitigation strategies for this vulnerability include immediate upgrading to version 2.5.4 or later of the Custom Login Page Customizer plugin, which implements proper authentication checks and rate limiting for password reset operations. System administrators should also implement additional security measures such as monitoring for unusual password reset activity, implementing multi-factor authentication for administrator accounts, and reviewing access logs for suspicious patterns. The WordPress security community should also consider implementing network-level protections such as web application firewalls that can detect and block anomalous password reset request patterns, thereby providing an additional layer of defense against this type of attack vector.