← back
CVE-2025-5305

Password Reset with Code < 0.0.17 - Insecure Password Reset Code Creation

CVSS 9.8 CRITICALEPSS 0.2%
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
18 Sep 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Password Reset with Code for WordPress REST API WordPress plugin before 0.0.17 does not use cryptographically sound algorithms to generate OTP codes, potentially leading to account takeovers.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H