{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10645", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-17T16:16:05.766Z", "datePublished": "2025-10-07T08:23:38.793Z", "dateUpdated": "2026-04-08T17:04:48.752Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:48.752Z"}, "affected": [{"vendor": "webfactory", "product": "WP Reset", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.05", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data."}], "title": "WP Reset <= 2.05 - Unauthenticated Sensitive Information Exposure via wf-licensing.log", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86741f4a-8700-45dd-8998-b3f0387c27ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3364169/"}, {"url": "https://research.cleantalk.org/cve-2025-10645/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-532 Insertion of Sensitive Information into Log File", "cweId": "CWE-532", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-09-17T16:33:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-06T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-07T18:17:41.498848Z", "id": "CVE-2025-10645", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-07T18:20:23.922Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10645", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-07T18:17:41.498848Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-07T18:20:18.080Z"}}], "cna": {"title": "WP Reset <= 2.05 - Unauthenticated Sensitive Information Exposure via wf-licensing.log", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "webfactory", "product": "WP Reset", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.05"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-17T16:33:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-06T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86741f4a-8700-45dd-8998-b3f0387c27ed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3364169/"}, {"url": "https://research.cleantalk.org/cve-2025-10645/"}], "descriptions": [{"lang": "en", "value": "The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:48.752Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10645", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:48.752Z", "dateReserved": "2025-09-17T16:16:05.766Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-07T08:23:38.793Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data."}], "id": "CVE-2025-10645", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-07T09:15:32.610", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3364169/"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-10645/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86741f4a-8700-45dd-8998-b3f0387c27ed?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T13:14:42.749395+00:00", "value": {"mitigation_remediation": ["Update the WP Reset plugin to a version newer than 2.05 where the issue is fixed.", "If an upgrade cannot be performed immediately, disable debug logging in the plugin configuration or via WordPress settings to prevent the log method from exposing the license key.", "Restrict access to the wf-licensing.log file by setting appropriate file permissions or placing it behind authentication."], "summary": {"action": "Patch Required", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The issue impacts the WP Reset plugin (webfactory) versions 2.05 and earlier. All installations of WP Reset up to and including 2.05 are affected.", "description_and_impact": "The WP Reset plugin for WordPress is affected by a sensitive information exposure flaw in all versions up to 2.05. The flaw lies in the WF_Licensing::log() method when debugging is enabled by default, allowing attackers to extract the plugin's license key and private site data without authentication.", "risk_and_exploitability": "The problem has a CVSS score of 5.3, indicating moderate severity, and an EPSS score of < 1%, implying a low likelihood of exploitation. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply accessing the plugin\u2019s logging endpoint or otherwise triggering the log method while debugging is enabled, over the network without credentials."}}}}, "created": "2025-10-08T13:39:12.863814+00:00", "updated": "2026-04-22T13:15:17.851503+00:00", "vendors": ["webfactoryltd", "webfactoryltd$PRODUCT$wp_reset", "wordpress", "wordpress$PRODUCT$wordpress"]}