CVE-2025-15018 is a critical authorization bypass vulnerability identified in the Optional Email plugin for WordPress, maintained by djanym. The vulnerability affects all versions up to and including 1.3.11. The root cause is the improper restriction of the 'random_password' filter, which is intended to be used only during user registration but is erroneously applied during password reset key generation. This flaw allows unauthenticated attackers to specify a known password reset key when initiating a password reset request. Consequently, attackers can reset the password of any user account, including those with administrative privileges, without needing any prior authentication or user interaction. This leads to full account takeover and privilege escalation on affected WordPress sites. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS v3.1 base score of 9.8, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no exploits have been reported in the wild yet, the vulnerability's nature makes it highly exploitable. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation. This vulnerability threatens the confidentiality, integrity, and availability of affected WordPress sites, potentially allowing attackers to manipulate site content, steal sensitive data, or disrupt services.

For European organizations, this vulnerability poses a severe risk, especially those relying on WordPress sites with the Optional Email plugin installed. Successful exploitation can lead to unauthorized administrative access, enabling attackers to modify website content, inject malicious code, steal sensitive user data, or disrupt business operations. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and operational downtime. Given WordPress's widespread use across Europe for corporate websites, e-commerce platforms, and government portals, the impact could be extensive. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly vulnerable due to the sensitivity of their data and the critical nature of their web presence. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of attacks, potentially leading to widespread compromise if not addressed promptly.

1. Immediate action should be to monitor for updates or patches from the plugin vendor and apply them as soon as they become available. 2. Until a patch is released, disable or uninstall the Optional Email plugin if feasible to eliminate the attack surface. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious password reset requests that include user-controlled keys or abnormal parameters. 4. Enforce multi-factor authentication (MFA) on all WordPress administrator accounts to reduce the impact of compromised credentials. 5. Regularly audit user accounts and password reset logs for unusual activity indicative of exploitation attempts. 6. Restrict access to the WordPress admin panel by IP whitelisting or VPN access where possible. 7. Educate site administrators on the risks and signs of account takeover attacks. 8. Maintain regular backups of website data and configurations to enable quick recovery in case of compromise. 9. Consider deploying intrusion detection systems (IDS) to monitor for exploitation attempts targeting this vulnerability. These steps go beyond generic advice by focusing on compensating controls and proactive detection until an official patch is available.