CVE-2025-10645 is a vulnerability classified under CWE-532 (Insertion of Sensitive Information into Log File) found in the WP Reset plugin for WordPress, developed by webfactory. The issue exists in all versions up to and including 2.05 and arises from the WF_Licensing::log() method, which logs sensitive license keys and site-specific data when debugging is enabled. Debugging is enabled by default, which inadvertently exposes sensitive information in log files accessible to unauthenticated attackers. Because the vulnerability can be exploited remotely without authentication or user interaction, attackers can extract confidential license and site data, potentially facilitating further attacks or unauthorized use of licensed features. The CVSS v3.1 base score is 5.3, indicating a medium severity level, primarily due to the confidentiality impact and ease of exploitation. There are no known exploits in the wild at the time of publication, and no patches have been released yet. The vulnerability underscores a common security misconfiguration where sensitive data is logged without adequate protection or access controls, especially in production environments. Organizations relying on WP Reset should audit their logging configurations and disable debugging to prevent sensitive data leakage.

The primary impact of CVE-2025-10645 is the exposure of sensitive license keys and site data, which compromises confidentiality. Attackers gaining access to this information could misuse license keys, potentially leading to unauthorized plugin usage or redistribution. Exposure of site data may also aid attackers in crafting targeted attacks or reconnaissance activities. Although the vulnerability does not directly affect data integrity or availability, the leakage of sensitive information can have downstream effects, such as enabling further exploitation or intellectual property theft. Organizations using WP Reset with debugging enabled in production environments face increased risk, especially if logs are accessible over the web or to unauthorized users. The medium CVSS score reflects the moderate risk level, balancing ease of exploitation with limited scope of impact. The absence of authentication and user interaction requirements increases the threat surface. However, the lack of known active exploits reduces immediate risk, though this could change if attackers develop exploit tools.

1. Immediately disable debugging in the WP Reset plugin configuration to prevent sensitive data from being logged. 2. Restrict access to log files by configuring proper file permissions and web server rules to prevent unauthorized access. 3. Monitor logs for any suspicious access patterns or attempts to retrieve log files. 4. Implement network-level controls such as web application firewalls (WAFs) to detect and block attempts to access sensitive logs. 5. Regularly audit plugin configurations and update to newer versions once patches addressing this vulnerability are released. 6. Educate site administrators about the risks of enabling debugging in production environments and enforce secure logging practices. 7. Consider isolating or encrypting sensitive data before logging if debugging is necessary for troubleshooting. 8. Review and harden WordPress file and directory permissions to minimize exposure. 9. Employ intrusion detection systems (IDS) to alert on unusual access to log files or plugin directories. 10. Stay informed through vendor advisories and security bulletins for updates or patches.