CVE-2025-15018
Published: 07 January 2026
Summary
CVE-2025-15018 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes secure procedures for managing authenticators including password resets, preventing unauthorized manipulation of reset keys leading to account takeover.
Requires procedures and monitoring for account modifications such as password resets, blocking or detecting unauthorized changes to user accounts including administrators.
Mandates timely remediation of flaws like the vulnerable random_password filter in the Optional Email plugin, preventing exploitation of the privilege escalation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to achieve privilege escalation via administrator account takeover (T1068).
NVD Description
The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to…
more
affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.
Deeper analysisAI
CVE-2025-15018 is a privilege escalation vulnerability via account takeover in the Optional Email plugin for WordPress, affecting all versions up to and including 1.3.11. The issue arises because the plugin's 'random_password' filter is not restricted to registration contexts, enabling it to interfere with password reset key generation. Published on 2026-01-07, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-639 (Authorization Bypass Through User-Controlled Key).
Unauthenticated attackers can exploit this vulnerability by initiating a password reset and setting a known password reset key. This allows them to reset the password of any user, including administrators, thereby gaining full access to those accounts.
Advisories reference the vulnerable code in the plugin source at https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44, which marks lines 44 and 51, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve for further details on the issue.
Details
- CWE(s)