Description
The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data.
Published: 2025-10-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Patch Required
AI Analysis

Impact

The WP Reset plugin for WordPress is affected by a sensitive information exposure flaw in all versions up to 2.05. The flaw lies in the WF_Licensing::log() method when debugging is enabled by default, allowing attackers to extract the plugin's license key and private site data without authentication.

Affected Systems

The issue impacts the WP Reset plugin (webfactory) versions 2.05 and earlier. All installations of WP Reset up to and including 2.05 are affected.

Risk and Exploitability

The problem has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of < 1%, implying a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply accessing the plugin’s logging endpoint or otherwise triggering the log method while debugging is enabled, over the network without credentials.

Generated by OpenCVE AI on April 22, 2026 at 13:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Reset plugin to a version newer than 2.05 where the issue is fixed.
  • If an upgrade cannot be performed immediately, disable debug logging in the plugin configuration or via WordPress settings to prevent the log method from exposing the license key.
  • Restrict access to the wf-licensing.log file by setting appropriate file permissions or placing it behind authentication.

Generated by OpenCVE AI on April 22, 2026 at 13:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 08 Oct 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Webfactoryltd
Webfactoryltd wp Reset
Wordpress
Wordpress wordpress
Vendors & Products Webfactoryltd
Webfactoryltd wp Reset
Wordpress
Wordpress wordpress

Tue, 07 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 22:45:00 +0000

Type Values Removed Values Added
Description The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data.
Title WP Reset <= 2.05 - Unauthenticated Sensitive Information Exposure via wf-licensing.log
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Webfactoryltd Wp Reset
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:48.752Z

Reserved: 2025-09-17T16:16:05.766Z

Link: CVE-2025-10645

cve-icon Vulnrichment

Updated: 2025-10-07T18:20:18.080Z

cve-icon NVD

Status : Deferred

Published: 2025-10-07T09:15:32.610

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses