CVE-2025-5305

critical

Description

The Password Reset with Code for WordPress REST API WordPress plugin before 0.0.17 does not use cryptographically sound algorithms to generate OTP codes, potentially leading to account takeovers.

References

https://wpscan.com/vulnerability/dcf5c003-91b0-4e7d-89f3-7459d8f01153/

Details

Source: Mitre, NVD

Published: 2025-09-18

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H