CVE-2025-1764

Summary

CVE-2025-1764 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the LoginPress | wp-login Custom Login Page Customizer plugin for WordPress. Versions up to 3.3.1 are vulnerable due to insufficient nonce validation on the 'custom_plugin_set_option' function. This issue enables unauthenticated attackers to update arbitrary options on WordPress sites, including the default role for registration and user registration settings, by tricking administrators into performing a malicious action, such as clicking a link. Successful exploitation of this vulnerability requires the 'WPBRIGADE_SDK__DEV_MODE' constant to be set to 'true'. This weakness could potentially grant attackers administrative user access to a vulnerable site.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.