Optional Email WordPress Plugin Privilege Escalation Vulnerability Allowing Account Takeover

Vulnerability

A vulnerability exists in the Optional Email plugin for WordPress, affecting all versions through 1.3.11. The issue arises from the plugin's 'random_password' filter, which is not limited to registration contexts. This oversight allows unauthenticated attackers to manipulate password reset key generation. By setting a known password reset key, attackers can reset the passwords of any user, including administrators, and gain access to their accounts.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, enabling attackers to take over user accounts, including those of administrators.

Added: Jan 7, 2026, 2:44 PM

Updated: Jan 7, 2026, 2:44 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

1.9

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

0.0

relevance

1.9

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Optional Email WordPress Plugin Privilege Escalation Vulnerability Allowing Account Takeover

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating