平台
wordpress
组件
wp-custom-login-page-logo
修复版本
1.4.9
CVE-2025-12132 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the WP Custom Admin Login Page Logo plugin for WordPress. This vulnerability allows unauthenticated attackers to modify the plugin's settings by tricking a site administrator into performing actions via a forged request. The vulnerability impacts versions 0.0.0 through 1.4.8.4, and a patch is expected to be released by the plugin developer.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of the WP Custom Admin Login Page Logo plugin's settings. An attacker could leverage this to alter the login page's appearance, branding, or other configurations. While seemingly cosmetic, these changes could be used to obfuscate malicious login pages or redirect users to phishing sites, ultimately compromising user credentials. The attack relies on social engineering to trick an administrator into clicking a malicious link, making user awareness a crucial factor in mitigating the risk. Successful exploitation could lead to brand impersonation and user trust erosion.
CVE-2025-12132 was publicly disclosed on 2025-11-11. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's reliance on social engineering suggests a lower probability of widespread exploitation compared to vulnerabilities that can be exploited automatically.
WordPress websites utilizing the WP Custom Admin Login Page Logo plugin, particularly those with administrator accounts that are not protected by strong passwords or two-factor authentication, are at risk. Shared hosting environments where plugin updates are not managed centrally are also more vulnerable.
• wordpress / composer / npm:
grep -r 'wpclpl_save' /var/www/html/wp-content/plugins/wp-custom-admin-login-page-logo/• wordpress / composer / npm:
wp plugin list --status=all | grep 'wp-custom-admin-login-page-logo'• wordpress / composer / npm:
wp plugin update wp-custom-admin-login-page-logo• generic web: Inspect HTTP requests for the plugin's endpoints for missing or improperly validated CSRF tokens.
disclosure
漏洞利用状态
EPSS
0.03% (8% 百分位)
CISA SSVC
CVSS 向量
The immediate mitigation for CVE-2025-12132 is to upgrade the WP Custom Admin Login Page Logo plugin to a version that addresses the vulnerability. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which the plugin can load resources. Additionally, enforce strong password policies and enable two-factor authentication (2FA) for all administrator accounts to reduce the risk of successful social engineering attacks. Monitor WordPress plugin activity logs for any suspicious modifications to the plugin's settings. After upgrading, verify the plugin's configuration and ensure no unauthorized changes have been made.
将 WP Custom Admin Login Page Logo 插件更新到最新可用版本以缓解跨站请求伪造 (Cross-Site Request Forgery) 漏洞。确保您的 WordPress 安装已更新,并且所有插件和主题均来自可信来源。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-12132 is a Cross-Site Request Forgery (CSRF) vulnerability in the WP Custom Admin Login Page Logo plugin for WordPress, allowing attackers to modify plugin settings via forged requests.
You are affected if your WordPress site uses the WP Custom Admin Login Page Logo plugin in versions 0.0.0 through 1.4.8.4.
Upgrade the WP Custom Admin Login Page Logo plugin to a patched version. As a temporary workaround, implement strict CSP headers and enforce strong password policies.
There are currently no known public exploits or active campaigns targeting this vulnerability.
Refer to the plugin developer's website or WordPress.org plugin repository for updates and advisories related to CVE-2025-12132.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。