CVE-2025-1764

CVE-2025-1764 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the LoginPress | wp-login Custom Login Page Customizer plugin for WordPress in all versions up to and including 3.3.1. The issue arises from missing or incorrect nonce validation in the 'custom_plugin_set_option' function, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Published on 2025-03-14, it was publicly disclosed through standard CVE channels.

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link, which forges a request to update arbitrary WordPress options. Attackers can leverage this to enable user registration and set the default role for new registrations to administrator, thereby gaining administrative access to the site. Exploitation requires the 'WPBRIGADE_SDK__DEV_MODE' constant to be set to 'true'.

Mitigation details are available in advisories and patches referenced in the CVE, including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/9df6a2b4-2dc4-43dd-8282-5c05b0fa13f6?source=cve, the plugin's Trac changeset 3253283 at https://plugins.trac.wordpress.org/changeset/3253283/, and the plugin page at https://pt.wordpress.org/plugins/loginpress/. Security practitioners should update the plugin and verify the absence of the required dev mode constant.