Weak OTP Code Generation in Password Reset Plugin for WordPress
CVE-2025-5305

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Password Reset With Code For WordPress Rest Api
Vendor: CVE Published:; 18 September 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-5305?

The Password Reset with Code for WordPress REST API plugin before version 0.0.17 is susceptible to security weaknesses due to its reliance on non-cryptographically sound algorithms for generating One-Time Password (OTP) codes. This flaw exposes users to the risk of account takeover, as attackers could exploit the predictable nature of the OTPs to gain unauthorized access. Implementing robust cryptographic practices for OTP generation is essential to safeguard user accounts and enhance overall cybersecurity.

Affected Version(s)

Password Reset with Code for WordPress REST API 0 < 0.0.17

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-5305 - Proof of Concept

References

https://wpscan.com/vulnerability/dcf5c003-91b0-4e7d-89f3-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Sep 18, 2025
👾
Exploit known to exist
Sep 18, 2025
Vulnerability published
Sep 18, 2025
Vulnerability Reserved
May 28, 2025

Credit

Tommaso Gregori (p1s1o)

WPScan

JSON