CVE-2025-1764: CWE-352 Cross-Site Request Forgery (CSRF) in hiddenpearls LoginPress | wp-login Custom Login Page Customizer
CVE-2025-1764 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability in the LoginPress | wp-login Custom Login Page Customizer WordPress plugin up to version 3. 3. 1. The flaw arises from missing or incorrect nonce validation in the 'custom_plugin_set_option' function, allowing unauthenticated attackers to trick administrators into executing forged requests. Exploitation requires the 'WPBRIGADE_SDK__DEV_MODE' constant to be set to true, enabling attackers to modify site options such as changing the default user role to administrator and enabling user registration. This can lead to unauthorized administrative access and full site compromise. The vulnerability has a CVSS score of 7. 5, reflecting its high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or mitigating this issue to prevent privilege escalation and site takeover.
AI Analysis
Technical Summary
CVE-2025-1764 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the LoginPress | wp-login Custom Login Page Customizer plugin for WordPress, affecting all versions up to and including 3.3.1. The root cause is the absence or incorrect implementation of nonce validation in the 'custom_plugin_set_option' function, which is intended to protect against unauthorized state-changing requests. Nonces in WordPress serve as tokens to verify that requests originate from legitimate users and not from malicious third-party sites. Without proper nonce checks, attackers can craft malicious links or web pages that, when visited by an authenticated administrator, trigger unauthorized changes on the WordPress site. Specifically, this vulnerability allows attackers to update arbitrary site options, including setting the default user role for new registrations to 'administrator' and enabling user registration. This scenario enables attackers to create accounts with administrative privileges, leading to full site control. However, exploitation requires the 'WPBRIGADE_SDK__DEV_MODE' constant to be set to true, which is typically a development mode setting and may limit the exposure in production environments. The vulnerability has been assigned a CVSS 3.1 base score of 7.5, indicating high severity due to its potential to compromise confidentiality, integrity, and availability without requiring authentication but needing user interaction (administrator clicking a malicious link). No public exploits have been reported yet, but the impact of successful exploitation is significant. The vulnerability was published on March 14, 2025, and no official patches or updates have been linked yet, emphasizing the need for immediate attention from site administrators using this plugin.
Potential Impact
If exploited, this vulnerability can have severe consequences for affected WordPress sites. Attackers can gain administrative privileges by manipulating site options, effectively taking full control over the website. This includes the ability to modify content, install malicious plugins or themes, steal sensitive data, and disrupt site availability. The compromise of administrative accounts can also facilitate further attacks on connected systems or networks. For organizations relying on WordPress for business operations, e-commerce, or content delivery, such a breach can lead to data loss, reputational damage, regulatory penalties, and financial losses. The requirement for the 'WPBRIGADE_SDK__DEV_MODE' constant to be true may reduce the attack surface in typical production environments; however, sites with development modes enabled or misconfigured could be at high risk. The vulnerability's exploitation does not require authentication but does require an administrator to interact with a malicious link, making social engineering a critical factor. Overall, the threat poses a high risk to the confidentiality, integrity, and availability of affected WordPress sites worldwide.
Mitigation Recommendations
1. Immediately verify if the 'WPBRIGADE_SDK__DEV_MODE' constant is set to true in your WordPress configuration and disable it by setting it to false or removing it in production environments. 2. Monitor for updates or patches from the plugin vendor hiddenpearls and apply them as soon as they become available. 3. If no patch is available, consider temporarily disabling or uninstalling the LoginPress plugin to eliminate the attack vector. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'custom_plugin_set_option' function or unusual option update attempts. 5. Educate site administrators about the risks of clicking on unsolicited or suspicious links, especially while logged into administrative accounts. 6. Regularly audit user roles and registrations to detect unauthorized administrative accounts and remove them promptly. 7. Employ security plugins that can monitor for unauthorized changes to site options and alert administrators. 8. Restrict administrative access to trusted IP addresses where feasible to reduce exposure. 9. Conduct regular backups of the WordPress site and database to enable recovery in case of compromise. 10. Review and harden WordPress security configurations, including enforcing least privilege principles for user roles.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, India, France, Netherlands, Brazil, Japan, South Korea
CVE-2025-1764: CWE-352 Cross-Site Request Forgery (CSRF) in hiddenpearls LoginPress | wp-login Custom Login Page Customizer
Description
CVE-2025-1764 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability in the LoginPress | wp-login Custom Login Page Customizer WordPress plugin up to version 3. 3. 1. The flaw arises from missing or incorrect nonce validation in the 'custom_plugin_set_option' function, allowing unauthenticated attackers to trick administrators into executing forged requests. Exploitation requires the 'WPBRIGADE_SDK__DEV_MODE' constant to be set to true, enabling attackers to modify site options such as changing the default user role to administrator and enabling user registration. This can lead to unauthorized administrative access and full site compromise. The vulnerability has a CVSS score of 7. 5, reflecting its high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or mitigating this issue to prevent privilege escalation and site takeover.
AI-Powered Analysis
Technical Analysis
CVE-2025-1764 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the LoginPress | wp-login Custom Login Page Customizer plugin for WordPress, affecting all versions up to and including 3.3.1. The root cause is the absence or incorrect implementation of nonce validation in the 'custom_plugin_set_option' function, which is intended to protect against unauthorized state-changing requests. Nonces in WordPress serve as tokens to verify that requests originate from legitimate users and not from malicious third-party sites. Without proper nonce checks, attackers can craft malicious links or web pages that, when visited by an authenticated administrator, trigger unauthorized changes on the WordPress site. Specifically, this vulnerability allows attackers to update arbitrary site options, including setting the default user role for new registrations to 'administrator' and enabling user registration. This scenario enables attackers to create accounts with administrative privileges, leading to full site control. However, exploitation requires the 'WPBRIGADE_SDK__DEV_MODE' constant to be set to true, which is typically a development mode setting and may limit the exposure in production environments. The vulnerability has been assigned a CVSS 3.1 base score of 7.5, indicating high severity due to its potential to compromise confidentiality, integrity, and availability without requiring authentication but needing user interaction (administrator clicking a malicious link). No public exploits have been reported yet, but the impact of successful exploitation is significant. The vulnerability was published on March 14, 2025, and no official patches or updates have been linked yet, emphasizing the need for immediate attention from site administrators using this plugin.
Potential Impact
If exploited, this vulnerability can have severe consequences for affected WordPress sites. Attackers can gain administrative privileges by manipulating site options, effectively taking full control over the website. This includes the ability to modify content, install malicious plugins or themes, steal sensitive data, and disrupt site availability. The compromise of administrative accounts can also facilitate further attacks on connected systems or networks. For organizations relying on WordPress for business operations, e-commerce, or content delivery, such a breach can lead to data loss, reputational damage, regulatory penalties, and financial losses. The requirement for the 'WPBRIGADE_SDK__DEV_MODE' constant to be true may reduce the attack surface in typical production environments; however, sites with development modes enabled or misconfigured could be at high risk. The vulnerability's exploitation does not require authentication but does require an administrator to interact with a malicious link, making social engineering a critical factor. Overall, the threat poses a high risk to the confidentiality, integrity, and availability of affected WordPress sites worldwide.
Mitigation Recommendations
1. Immediately verify if the 'WPBRIGADE_SDK__DEV_MODE' constant is set to true in your WordPress configuration and disable it by setting it to false or removing it in production environments. 2. Monitor for updates or patches from the plugin vendor hiddenpearls and apply them as soon as they become available. 3. If no patch is available, consider temporarily disabling or uninstalling the LoginPress plugin to eliminate the attack vector. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'custom_plugin_set_option' function or unusual option update attempts. 5. Educate site administrators about the risks of clicking on unsolicited or suspicious links, especially while logged into administrative accounts. 6. Regularly audit user roles and registrations to detect unauthorized administrative accounts and remove them promptly. 7. Employ security plugins that can monitor for unauthorized changes to site options and alert administrators. 8. Restrict administrative access to trusted IP addresses where feasible to reduce exposure. 9. Conduct regular backups of the WordPress site and database to enable recovery in case of compromise. 10. Review and harden WordPress security configurations, including enforcing least privilege principles for user roles.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-02-27T17:32:23.402Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b19b7ef31ef0b54e150
Added to database: 2/25/2026, 9:35:21 PM
Last enriched: 2/25/2026, 10:08:06 PM
Last updated: 2/26/2026, 7:58:00 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.