The djanym Optional Email plugin for WordPress, versions up to and including 1.3.11, contains a critical authorization bypass vulnerability identified as CVE-2025-15018. The root cause is the improper restriction of the 'random_password' filter, which is intended to be applied only during user registration but is erroneously applied during password reset key generation. This flaw allows unauthenticated attackers to specify a known password reset key when initiating a password reset request. Consequently, attackers can reset passwords for any user account, including those with administrative privileges, effectively enabling full account takeover without prior authentication or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v3.1 score of 9.8 reflects the ease of remote exploitation (no authentication or user interaction required), and the severe impact on confidentiality, integrity, and availability of affected WordPress sites. Although no public exploits have been reported yet, the critical nature of this flaw demands immediate attention from site administrators. The vulnerability affects all versions of the plugin up to 1.3.11, and no official patches have been linked at the time of reporting.

This vulnerability poses a severe risk to organizations running WordPress sites with the djanym Optional Email plugin installed. Attackers can gain unauthorized administrative access, allowing them to manipulate site content, steal sensitive data, deploy malware, or disrupt services. The compromise of administrator accounts can lead to full site takeover, loss of customer trust, data breaches, and potential regulatory penalties. Since WordPress powers a significant portion of websites globally, including e-commerce, government, and enterprise sites, the impact can be widespread. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and mass exploitation attempts once public exploits emerge. Organizations relying on this plugin face risks to their operational continuity, data confidentiality, and brand reputation.

Immediate mitigation steps include disabling the Optional Email plugin until a secure patch is released. Administrators should monitor for updates from the vendor and apply patches promptly once available. As a temporary workaround, site owners can implement custom code to restrict the 'random_password' filter strictly to registration contexts, preventing its misuse during password resets. Additionally, enforcing multi-factor authentication (MFA) for all administrator accounts can reduce the risk of account takeover. Regularly auditing user accounts for unauthorized changes and monitoring logs for suspicious password reset activities are also recommended. Site owners should consider limiting password reset functionality through rate limiting or CAPTCHA challenges to hinder automated exploitation attempts. Finally, maintaining regular backups and having an incident response plan ready will help mitigate damage if exploitation occurs.