Cross-Site Request Forgery in LoginPress Custom Login Page Customizer for WordPress
CVE-2025-1764

7.5HIGH

Key Information:

Vendor: Hiddenpearls
Status: Loginpress | WP-login Custom Login Page Customizer
Vendor: CVE Published:; 14 March 2025

Summary

The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress has a vulnerability that allows unauthenticated attackers to manipulate site settings through Cross-Site Request Forgery (CSRF). Due to inadequate nonce validation in the 'custom_plugin_set_option' function, attackers can forge requests that trick site administrators into executing specific actions. This exploitation could lead to unauthorized privilege escalation by modifying user roles, such as elevating the default registration role to administrator. Therefore, if the 'WPBRIGADE_SDK__DEV_MODE' constant is set to 'true', the vulnerability could be exploited, posing a significant risk to site security and user integrity.

Affected Version(s)

LoginPress | wp-login Custom Login Page Customizer * <= 3.3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.svn.wordpress.org/loginpress/trunk/lib/wp...

https://pt.wordpress.org/plugins/loginpress/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 14, 2025
Vulnerability Reserved
Feb 27, 2025

Credit

Carlos Ferreira