CleanTalk Research Team has identified a severe information disclosure vulnerability in the popular WordPress plugin WP Reset (400,000+ active installations). The issue allows unauthenticated attackers to obtain license keys and sensitive site metadata directly from a publicly accessible log file created by the plugin.
This vulnerability has been assigned CVE-2025-10645 and independently confirmed by Wordfence.
Potential Consequences
1. License Abuse
- License Theft: Using stolen keys on other websites
- Resale: Illegally selling valid license keys
- Financial Losses: Losses to plugin developers from illegal use
2. Targeted Attacks
- Infrastructure Reconnaissance: Collecting software version information to find other vulnerabilities
- Phishing: Using website information for targeted phishing attacks
- Social Engineering: Using data for convincing attacks
3. Privacy Breach
- Corporate Data Leak: Exposing organization names and internal URLs
- Compliance Issues: Violation of GDPR/CCPA when personal data is leaked
- Reputational Risks: Damage to reputation when a leak is discovered
4. Attack Escalation
- Exploit Chains: Using nonces and metadata for other attacks
- Credential Stuffing: Using obtained information to attack other services
- RCE Chains: Combining with other vulnerabilities for remote execution Code
Affected Versions
Confirmed to be vulnerable: WP Reset version 2.05 and earlier
Fixed in: version 2.06 (released September 18, 2025)
CVE-2025-10645 poses a serious privacy threat to hundreds of thousands of WordPress sites using WP Reset. While the vulnerability does not allow direct code execution, the leak of license keys and metadata creates significant security risks and can lead to financial losses.
This incident highlights the critical importance of secure logging practices:
- Never write secrets in plaintext
- Store logs outside the web root
- Disable verbose logging in production
- Audit and purge logs regularly
Developers should treat logging with the same seriousness as password handling—any sensitive information must be protected at all stages of the application lifecycle.
References
Wordfence Advisory:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-reset-2/wp-reset-205-unauthenticated-sensitive-information-exposure-via-wf-licensinglog
CleanTalk Research Report:
https://research.cleantalk.org/cve-2025-10645/
Leave a Reply