Primary

Context

Custom Login Page Customizer WordPress Plugin Unauthenticated Arbitrary Password Reset Vulnerability

Vulnerability

Patched

A vulnerability exists in the Custom Login Page Customizer WordPress plugin in versions prior to 2.5.4. The plugin lacks a proper password reset mechanism, allowing unauthenticated users to reset the passwords of any user, including administrators, by simply knowing their usernames. This flaw could be exploited to gain unauthorized access to user accounts.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, enabling attackers to gain access to user accounts, including those of administrators.

Remediation

Users are advised to update the Custom Login Page Customizer WordPress plugin to version 2.5.4 or later.

Added: Jan 29, 2026, 6:18 AM

Updated: Jan 29, 2026, 6:18 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

8.5

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

8.5

remediation

7.7

relevance

2.5

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Custom Login Page Customizer WordPress Plugin Unauthenticated Arbitrary Password Reset Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Custom Login Page Customizer

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating