CVE-2025-5305
Password Reset with Code < 0.0.17 - Insecure Password Reset Code Creation
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
18 Sep 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Password Reset with Code for WordPress REST API WordPress plugin before 0.0.17 does not use cryptographically sound algorithms to generate OTP codes, potentially leading to account takeovers.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Unknown · Password Reset with Code for WordPress REST API