Description
The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.
Published: 2025-03-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Option Modification
Action: Immediate Patch
AI Analysis

Impact

The LoginPress | wp-login Custom Login Page Customizer plugin contains a flaw where the custom_plugin_set_option function does not correctly verify a nonce. As a result, anyone can send a forged HTTP request and update any WordPress option without authentication. If the site is running in developer mode—indicated by the WPBRIGADE_SDK__DEV_MODE constant set to true—an attacker can change the default role assigned to newly registered users to administrator and enable the registration feature. This allows the creation of a fully privileged administrator account solely through a click‑through CSRF attack, compromising the integrity of the site configuration and effectively providing remote administrative control.

Affected Systems

The vulnerability affects versions of the hiddenpearls LoginPress plugin up to and including 3.3.1. These versions are WordPress plugins that customize the login page. Only installations where the WPBRIGADE_SDK__DEV_MODE constant is set to true can be exploited. No other products or versions are currently known to be affected.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating high severity, while the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. An attacker must obtain a victim‑administrator’s interaction—typically by luring them to click a malicious link—to trigger the CSRF request. Successful exploitation results in the modification of critical WordPress settings and the creation of an attacker‑controlled administrator account, giving full control over the site.

Generated by OpenCVE AI on April 22, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LoginPress plugin to version 3.4 or later, where the nonce validation bug is fixed.
  • If an immediate upgrade is not possible, set WPBRIGADE_SDK__DEV_MODE to false or remove the constant from the code base so the exploitation path is closed.
  • Review the site’s user registration and default role settings; disable registration or set the default role to a non‑admin level and audit existing accounts for unauthorized administrators.

Generated by OpenCVE AI on April 22, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6432 The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00024}

 epss

{'score': 0.00034}

Fri, 14 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 14 Mar 2025 05:30:00 +0000

Type Values Removed Values Added
Description The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.
Title LoginPress <= 3.3.1 - Cross-Site Request Forgery to Arbitrary Options Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:40.910Z

Reserved: 2025-02-27T17:32:23.402Z

Link: CVE-2025-1764

cve-icon Vulnrichment

Updated: 2025-03-14T13:44:18.160Z

cve-icon NVD

Status : Deferred

Published: 2025-03-14T06:15:24.860

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses