CVE-2025-10645 is a vulnerability classified under CWE-532 (Insertion of Sensitive Information into Log File) affecting the WP Reset plugin for WordPress, specifically all versions up to and including 2.05. The root cause lies in the WF_Licensing::log() method, which, when debugging is enabled (the default setting), logs sensitive information such as license keys and site-specific data. These logs are accessible without authentication, allowing unauthenticated remote attackers to retrieve sensitive information by accessing the log files. The vulnerability does not require user interaction and can be exploited over the network, making it relatively easy to exploit. The CVSS v3.1 score is 5.3 (medium severity), reflecting the vulnerability's impact on confidentiality without affecting integrity or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability primarily threatens the confidentiality of sensitive licensing and site data, which could be leveraged for further attacks such as license misuse, targeted phishing, or reconnaissance. The lack of authentication requirement and default enabled debugging increase the risk of exposure. The vulnerability affects a widely used WordPress plugin, which is popular for resetting WordPress installations during development or troubleshooting, thus broadening the scope of affected systems. The absence of a patch link indicates that users must rely on configuration changes or await official updates from the vendor.

For European organizations, this vulnerability poses a risk of sensitive license keys and site data exposure, which can lead to unauthorized use of licensed software features or facilitate further targeted attacks. Organizations relying on WP Reset in production environments with default debugging enabled may inadvertently expose critical information to unauthenticated attackers. This can undermine trust, lead to compliance issues under GDPR due to improper handling of sensitive data, and potentially cause financial or reputational damage. The impact is more pronounced for sectors with high reliance on WordPress for e-commerce, media, or government websites, where sensitive operational data leakage could have cascading effects. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can be a stepping stone for attackers to escalate privileges or conduct more sophisticated attacks. The medium severity score suggests moderate urgency, but the ease of exploitation and default enabled debugging setting increase the practical risk. Organizations with public-facing WordPress sites are particularly vulnerable, as attackers can remotely access logs without authentication.

1. Immediately disable debugging in WP Reset plugin configurations on all production WordPress sites to prevent sensitive data from being logged. 2. Restrict access to log files by configuring web server permissions and employing access control mechanisms such as IP whitelisting or authentication. 3. Monitor web server and application logs for unusual access patterns or attempts to retrieve log files. 4. Regularly audit WordPress plugins and their configurations to ensure no sensitive information is exposed inadvertently. 5. Stay informed about vendor updates and apply patches promptly once available. 6. Consider implementing Web Application Firewalls (WAF) to block unauthorized requests targeting log files or plugin endpoints. 7. Educate development and operations teams about the risks of leaving debugging enabled in production environments. 8. If feasible, isolate WordPress administrative and plugin-related endpoints behind VPNs or internal networks to reduce exposure. 9. Backup site data and configurations regularly to enable recovery in case of compromise. 10. Conduct periodic security assessments focusing on plugin vulnerabilities and configuration weaknesses.