Vulnerabilities

CVE-2025-15018 - WordPress Optional Email Privilege Escalation via Account Takeover

2026-01-07 0 views admin
CVE-2025-15018 - WordPress Optional Email Privilege Escalation via Account Takeover

CVE ID : CVE-2025-15018 Published : Jan. 7, 2026, 10:20 a.m. | 1 hour, 55 minutes ago Description : The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generation. This makes it possible for unauthenticated attackers to set a known password reset key when initiating a password reset, reset the password of any user including administrators, and gain access to their accounts. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

Severity
CRITICAL
Published
Jan. 7, 2026
Affected Product: WordPress
Impact: Privilege Escalation

Source: Telegram CVE Monitor

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2025-15018criticalwordpress

More from Vulnerabilities

CVE-2025-13753 - WP Table Builder <= 2.0.19 - incorrect authorization to authenticated (subscribe

CVE-2025-13753 - WP Table Builder <= 2.0.19 - incorrect authorization to authenticated (subscribe

2026-01-09 0
CVE-2025-13628 - Tutor LMS – eLearning and online course solution <= 3.9.3 - missing authorizatio

CVE-2025-13628 - Tutor LMS – eLearning and online course solution <= 3.9.3 - missing authorizatio

2026-01-09 0
CVE-2025-69194 - Wget2: arbitrary file write via metalink path traversal in gnu wget2 - 2025 Update

CVE-2025-69194 - Wget2: arbitrary file write via metalink path traversal in gnu wget2 - 2025 Update

2026-01-09 0
CVE-2025-14937 - Frontend Admin by DynamiApps <= 3.28.23 - unauthenticated stored cross-site scri

CVE-2025-14937 - Frontend Admin by DynamiApps <= 3.28.23 - unauthenticated stored cross-site scri

2026-01-09 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views