CVE-2025-15018
📋 TL;DR
The Optional Email WordPress plugin contains a privilege escalation vulnerability that allows unauthenticated attackers to reset any user's password, including administrators, and take over their accounts. This affects all WordPress sites using the plugin version 1.3.11 or earlier. Attackers can gain full administrative access to vulnerable WordPress installations.
💻 Affected Systems
- Optional Email WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise with administrative access, data theft, malware injection, defacement, and potential lateral movement to other systems.
Likely Case
Administrative account takeover leading to site modification, plugin/theme installation, user data exposure, and SEO spam injection.
If Mitigated
Limited impact if strong monitoring detects unusual password reset activity and immediate response occurs.
🎯 Exploit Status
The vulnerability is well-documented with technical details available, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.12 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/optional-email/tags/1.3.12
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Optional Email' and update to version 1.3.12 or later. 4. If update not available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable Optional Email Plugin
allDeactivate the vulnerable plugin to prevent exploitation
wp plugin deactivate optional-email
Restrict Password Reset Endpoints
allUse web application firewall to block unauthorized access to password reset functionality
🧯 If You Can't Patch
- Immediately deactivate and remove the Optional Email plugin from all WordPress installations
- Implement rate limiting on password reset endpoints and monitor for unusual reset attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Optional Email → Version number. If version is 1.3.11 or earlier, you are vulnerable.Check Version:
wp plugin get optional-email --field=versionVerify Fix Applied:
Verify plugin version is 1.3.12 or later in WordPress admin panel, or check that the plugin is completely removed.📡 Detection & Monitoring
Log Indicators:
- Unusual number of password reset requests
- Password reset requests from unexpected IP addresses
- Successful password resets for administrative accounts
Network Indicators:
- HTTP POST requests to /wp-login.php?action=lostpassword with manipulated parameters
- Rapid succession of password reset attempts
SIEM Query:
source="wordpress.log" AND ("lostpassword" OR "password-reset") AND status=200 | stats count by src_ip