CVE-2025-15018

Critical

Published: 07 January 2026

Published

07 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to…

affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Establishes secure procedures for managing authenticators including password resets, preventing unauthorized manipulation of reset keys leading to account takeover.

AC-2 Account Management good match

preventdetect

Requires procedures and monitoring for account modifications such as password resets, blocking or detecting unauthorized changes to user accounts including administrators.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of flaws like the vulnerable random_password filter in the Optional Email plugin, preventing exploitation of the privilege escalation vulnerability.

Security SummaryAI

CVE-2025-15018 is a privilege escalation vulnerability via account takeover in the Optional Email plugin for WordPress, affecting all versions up to and including 1.3.11. The issue arises because the plugin's 'random_password' filter is not restricted to registration contexts, enabling it to interfere with password reset key generation. Published on 2026-01-07, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability by initiating a password reset and setting a known password reset key. This allows them to reset the password of any user, including administrators, thereby gaining full access to those accounts.

Advisories reference the vulnerable code in the plugin source at https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44, which marks lines 44 and 51, and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve for further details on the issue.

Details

CWE(s): CWE-639

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to achieve privilege escalation via administrator account takeover (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.11/optional-email.php?marks=44,51#L44
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/ff4243e9-cf72-40d5-bc7d-204426024a1d?source=cve
security@wordfence.com