CVE-2025-15018
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.
Analysis
Optional Email plugin for WordPress (through 1.3.11) has a privilege escalation via a filter that leaks predictable password reset keys. The 'random_password' filter affects not just registration but also password reset key generation, making reset tokens guessable.
Technical Context
The plugin's 'random_password' filter replaces WordPress's random password generation with a deterministic alternative (CWE-639). This filter is not scoped to registration only, so it also affects wp_generate_password() calls used for password reset key generation. An attacker who knows the algorithm can predict reset keys.
Affected Products
Optional Email plugin for WordPress through 1.3.11
Remediation
Remove this plugin. Reset all user passwords. Verify that wp_generate_password() is producing cryptographically random output.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today