CVE-2025-15018 - Vulnerability Details

- Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover

Description

The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.

Published: 2026-01-07

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Optional Email plugin for WordPress is vulnerable because its 'random_password' filter is applied outside of registration contexts, creating a CWE-639 weakness that allows an unauthenticated attacker to set a known password reset key when initiating a password reset. By doing so, the attacker effectively bypasses authorization checks and can reset the password for any user, including administrators, achieving full account takeover.

Affected Systems

Any WordPress site that has the Optional Email plugin version 1.3.11 or earlier installed. The flaw exists in all releases up to and including 1.3.11 and removes the restriction on the password‑reset process for those versions.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating critical severity, but its EPSS score of <1% indicates that widespread exploitation is unlikely under current conditions. It is not listed in CISA’s KEV catalog. Exploitation is possible by an unauthenticated attacker visiting the public password‑reset page, selecting a pre‑known key, and resetting a target user’s password. Once the password is changed, the attacker can log in to any account, including those with administrative privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

djanym

Optional Email

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.3.11

No data.

Vendor	Product	Confidence	Versions
Djanym	Optional Email	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Optional Email plugin to a version newer than 1.3.11, which eliminates the unrestricted use of the random_password filter.
If upgrading is not immediately possible, disable or uninstall the Optional Email plugin to remove the attack surface.
Implement multi‑factor authentication for all WordPress administrative accounts to reduce the impact of a compromise.
Regularly monitor account reset logs for unexpected activity.

Generated by OpenCVE AI on April 21, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00187.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44
https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve

History

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Djanym Djanym optional Email Wordpress Wordpress wordpress
Vendors & Products		Djanym Djanym optional Email Wordpress Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.
Title		Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44 https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Djanym Optional Email

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-07T08:21:57.437Z

Updated: 2026-04-08T17:35:18.878Z

Reserved: 2025-12-22T02:54:37.143Z

Link: CVE-2025-15018

Vulnrichment

Updated: 2026-01-07T16:17:39.680Z

NVD

Status : Deferred

Published: 2026-01-07T12:16:58.540

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15018

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T00:45:23Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object