Security Alert Summary
The Custom Login Page Customizer WordPress plugin has a vulnerability that permits unauthenticated requests to reset the password for any user account when an attacker knows the username. This can allow an attacker to gain access to affected user accounts, including administrator accounts, on sites running vulnerable versions.
CVE Details
- CVE ID: CVE-2025-14975
- Affected component: Custom Login Page Customizer WordPress plugin
- Affected versions: Versions before 2.5.4 (as stated in the CVE description)
- Published: January 29, 2026 6:15:51 AM
- Last modified: January 29, 2026 4:31:00 PM
- CVSS v3.1 base score / severity / vector: Not specified in the CVE entry
- Authentication / Privileges / User interaction (from CVSS): Not specified in the CVE entry; the description indicates the vulnerability can be exploited via unauthenticated requests by knowing a username
- Primary impact:
- Confidentiality: Potentially impacted — unauthorized access to user accounts can expose account data.
- Integrity: Potentially impacted — an attacker who resets an account password can modify account settings or content accessible to that account.
- Availability: Not indicated in the CVE entry.
- CWE / weakness ID: Not specified in the CVE entry
Technical Details
According to the CVE description, the plugin does not implement a proper password reset process. This allows a small number of unauthenticated requests to reset the password for any user account when the attacker knows the username. The vulnerability enables account takeover by bypassing the intended password reset protections.
No specific functions, REST API endpoints, or internal checks are named in the CVE entry. The description focuses on the lack of a proper reset process and the ability for unauthenticated actors to reset passwords for known usernames, including administrator accounts.
How This Could Impact Your Website
Consider a small team managing a WordPress site: a site owner, several internal staff members with editor or contributor roles, and an external contractor who occasionally helps with content. If the site runs a vulnerable version of the plugin and an attacker knows a username (for example, from a public author page), the attacker could reset that user’s password and log in as them. For an administrator account this would permit access to administrative functions; for editors or contributors it could allow content changes or data access tied to that account.
Practical consequences include unauthorized access to account data, increased risk of targeted phishing or social engineering using information obtained from compromised accounts, and loss of trust if user accounts are misused. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. The CVE indicates versions before 2.5.4 are affected; update to 2.5.4 or later if that version is confirmed as containing the fix.
- Review and reduce unnecessary user roles and privileges, especially for contributor- and editor-level accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and user logins for unusual behavior, such as unexpected password resets or new administrative logins.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
