Plataforma
wordpress
Componente
wp-custom-login-page-logo
Corrigido em
1.4.9
CVE-2025-12132 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Custom Admin Login Page Logo plugin for WordPress. This vulnerability allows unauthenticated attackers to modify the plugin's settings by tricking a site administrator into performing actions via a forged request. The vulnerability impacts versions 0.0.0 through 1.4.8.4, and a patch is expected to be released by the plugin developer.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the WP Custom Admin Login Page Logo plugin's settings. An attacker could leverage this to alter the login page's appearance, branding, or other configurations. While seemingly cosmetic, these changes could be used to obfuscate malicious login pages or redirect users to phishing sites, ultimately compromising user credentials. The attack relies on social engineering to trick an administrator into clicking a malicious link, making user awareness a crucial factor in mitigating the risk. Successful exploitation could lead to brand impersonation and user trust erosion.
CVE-2025-12132 was publicly disclosed on 2025-11-11. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's reliance on social engineering suggests a lower probability of widespread exploitation compared to vulnerabilities that can be exploited automatically.
WordPress websites utilizing the WP Custom Admin Login Page Logo plugin, particularly those with administrator accounts that are not protected by strong passwords or two-factor authentication, are at risk. Shared hosting environments where plugin updates are not managed centrally are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wpclpl_save' /var/www/html/wp-content/plugins/wp-custom-admin-login-page-logo/• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-custom-admin-login-page-logo'• wordpress / composer / npm:
wp plugin update wp-custom-admin-login-page-logo• generic web: Inspect HTTP requests for the plugin's endpoints for missing or improperly validated CSRF tokens.
disclosure
Status do Exploit
EPSS
0.03% (percentil 8%)
CISA SSVC
Vetor CVSS
The immediate mitigation for CVE-2025-12132 is to upgrade the WP Custom Admin Login Page Logo plugin to a version that addresses the vulnerability. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which the plugin can load resources. Additionally, enforce strong password policies and enable two-factor authentication (2FA) for all administrator accounts to reduce the risk of successful social engineering attacks. Monitor WordPress plugin activity logs for any suspicious modifications to the plugin's settings. After upgrading, verify the plugin's configuration and ensure no unauthorized changes have been made.
Atualize o plugin WP Custom Admin Login Page Logo para a última versão disponível para mitigar a vulnerabilidade de Cross-Site Request Forgery. Certifique-se de que sua instalação do WordPress esteja atualizada e que todos os plugins e temas sejam de fontes confiáveis.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-12132 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Custom Admin Login Page Logo plugin for WordPress, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the WP Custom Admin Login Page Logo plugin in versions 0.0.0 through 1.4.8.4.
Upgrade the WP Custom Admin Login Page Logo plugin to a patched version. As a temporary workaround, implement strict CSP headers and enforce strong password policies.
There are currently no known public exploits or active campaigns targeting this vulnerability.
Refer to the plugin developer's website or WordPress.org plugin repository for updates and advisories related to CVE-2025-12132.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.