Platform
wordpress
Component
login-customizer
Fixed in
2.5.4
2.5.4
CVE-2025-14975 represents a critical privilege escalation vulnerability within the Custom Login Page Customizer plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access by modifying user passwords, potentially compromising administrator accounts. The vulnerability impacts versions of the plugin up to and including 2.5.3, but a fix is available in version 2.5.4.
The impact of CVE-2025-14975 is severe. An attacker exploiting this vulnerability can completely take over user accounts, including those with administrative privileges. This grants them full control over the WordPress site, enabling them to modify content, install malicious plugins, steal sensitive data, and potentially deface the website. The lack of authentication checks before password updates makes this vulnerability particularly dangerous, as it bypasses standard access controls. Successful exploitation could lead to significant data breaches and reputational damage.
CVE-2025-14975 was published on 2026-01-08. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the critical severity suggest a high probability of exploitation. The vulnerability has not been added to the CISA KEV catalog as of this date. Active campaigns targeting WordPress plugins are common, increasing the risk of this vulnerability being exploited in the wild.
Exploit Status
EPSS
0.02% (5% percentile)
CVSS Vector
The primary mitigation for CVE-2025-14975 is to immediately upgrade the Custom Login Page Customizer plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. While a direct workaround is not available, implementing strong password policies and enabling multi-factor authentication (MFA) on administrator accounts can help reduce the impact of a successful account takeover. After upgrading, verify the fix by attempting to modify a user's password without proper authentication; the action should be denied.
Update to version 2.5.4, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14975 is a critical vulnerability in the Custom Login Page Customizer plugin for WordPress allowing unauthenticated attackers to change user passwords, leading to account takeover.
You are affected if you are using the Custom Login Page Customizer plugin version 2.5.3 or earlier. Upgrade to 2.5.4 to resolve the issue.
Upgrade the Custom Login Page Customizer plugin to version 2.5.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no public exploit is currently available, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.