Platform
wordpress
Component
login-customizer
Opgelost in
2.5.4
2.5.4
CVE-2025-14975 represents a critical privilege escalation vulnerability within the Custom Login Page Customizer plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access by modifying user passwords, potentially compromising administrator accounts. The vulnerability impacts versions of the plugin up to and including 2.5.3, but a fix is available in version 2.5.4.
The impact of CVE-2025-14975 is severe. An attacker exploiting this vulnerability can completely take over user accounts, including those with administrative privileges. This grants them full control over the WordPress site, enabling them to modify content, install malicious plugins, steal sensitive data, and potentially deface the website. The lack of authentication checks before password updates makes this vulnerability particularly dangerous, as it bypasses standard access controls. Successful exploitation could lead to significant data breaches and reputational damage.
CVE-2025-14975 was published on 2026-01-08. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the critical severity suggest a high probability of exploitation. The vulnerability has not been added to the CISA KEV catalog as of this date. Active campaigns targeting WordPress plugins are common, increasing the risk of this vulnerability being exploited in the wild.
WordPress websites utilizing the Custom Login Page Customizer plugin, particularly those running versions prior to 2.5.4, are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise on one site could potentially lead to lateral movement and impact other sites. Sites with weak password policies or a lack of multi-factor authentication are also at increased risk.
• wordpress / composer / npm:
grep -r "wp_update_user_password" /var/www/html/wp-content/plugins/custom-login-page-customizer/• wordpress / composer / npm:
wp plugin list --status=active | grep 'custom-login-page-customizer'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status custom-login-page-customizerdisclosure
Exploit Status
EPSS
0.02% (5% percentiel)
CVSS-vector
The primary mitigation for CVE-2025-14975 is to immediately upgrade the Custom Login Page Customizer plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent further exploitation. While a direct workaround is not available, implementing strong password policies and enabling multi-factor authentication (MFA) on administrator accounts can help reduce the impact of a successful account takeover. After upgrading, verify the fix by attempting to modify a user's password without proper authentication; the action should be denied.
Update naar versie 2.5.4, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14975 is a critical vulnerability in the Custom Login Page Customizer plugin for WordPress allowing unauthenticated attackers to change user passwords, leading to account takeover.
You are affected if you are using the Custom Login Page Customizer plugin version 2.5.3 or earlier. Upgrade to 2.5.4 to resolve the issue.
Upgrade the Custom Login Page Customizer plugin to version 2.5.4 or later. If immediate upgrade is not possible, disable the plugin temporarily.
While no public exploit is currently available, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the plugin developer's website or WordPress.org plugin repository for the official advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.