CVE-2025-10645 – The WP Reset WordPress plugin exposes sensitive... (How to Fix)

Q: What is the severity of CVE-2025-10645?

CVE-2025-10645 has a CVSS score of 5.3 (MEDIUM). The WP Reset WordPress plugin exposes sensitive license keys and site data when debugging is enabled. This vulnerability affects all versions up to 2.05, allowing unauthenticated attackers to access confidential information. WordPress sites using vulnerable versions of the WP Reset plugin are at risk.

📋 TL;DR

The WP Reset WordPress plugin exposes sensitive license keys and site data when debugging is enabled. This vulnerability affects all versions up to 2.05, allowing unauthenticated attackers to access confidential information. WordPress sites using vulnerable versions of the WP Reset plugin are at risk.

💻 Affected Systems

Products:

WP Reset WordPress Plugin

Versions: All versions up to and including 2.05

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability only triggers when debugging is enabled, but this is the default configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain license keys and site data, potentially enabling further attacks, license abuse, or data theft.

🟠

Likely Case

Unauthenticated attackers extract sensitive license information and site configuration details.

🟢

If Mitigated

With debugging disabled, the vulnerability cannot be exploited, preventing information exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires accessing specific debugging endpoints when enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.06

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3364169/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Reset plugin. 4. Click 'Update Now' if available, or manually update to version 2.06+. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable Debugging

all

Turn off debugging mode in WP Reset plugin settings to prevent information exposure.

🧯 If You Can't Patch

Disable the WP Reset plugin entirely until patched
Implement web application firewall rules to block access to debugging endpoints

🔍 How to Verify

Check if Vulnerable:

Check WP Reset plugin version in WordPress admin panel under Plugins > Installed Plugins.

Check Version:

No command needed - check via WordPress admin interface

Verify Fix Applied:

Confirm WP Reset plugin version is 2.06 or higher in plugin settings.

📡 Detection & Monitoring

Log Indicators:

Unusual access to WP Reset debugging endpoints
Requests to /wp-content/plugins/wp-reset/ paths with debugging parameters

Network Indicators:

HTTP requests to WP Reset plugin debugging URLs from unauthorized sources

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/wp-reset/" AND query="debug")

📊 Metadata

CVE ID: CVE-2025-10645

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-532

EPSS Score: 0.07% exploit probability (21th percentile)

Published: October 7, 2025

Last Updated: October 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10645, you might also want to check these: