CVE-2025-10645 MEDIUM

CVE-2025-10645: WP Reset <= 2.05 - Unauthenticated Sensitive Information Exposure via wf-licensing.log

Vendor Webfactory
Product WP Reset
Weakness CWE-532 · Sensitive info in logs
Published October 7, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data.

Explanation of Vulnerability in Simple Terms

02Summary

WP Reset versions 2.05 and earlier expose sensitive information through improper logging or data handling. An attacker on the network can read partial data without authentication or user interaction. The vulnerability affects the plugin's core functionality and may expose configuration details or user information depending on what data is logged.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the plugin without authentication.

Potential impact on your site

04Site Impact

Sensitive plugin data or configuration details may be exposed to unauthenticated attackers.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

October 7, 2025 CVE published
April 8, 2026 Record updated