CVE-2025-46485

The WP Customize Login Page plugin for WordPress suffers from a missing authorization vulnerability in versions up to and including 1.6.5. The root cause is the absence of proper capability checks or nonce validation in certain functions, which should have restricted access to administrative actions. This flaw is classified as a broken access control issue, as described in the Patchstack advisory [1].

An unauthenticated attacker can exploit this vulnerability by sending crafted requests to the affected plugin endpoints without needing any authentication or prior knowledge. The attack surface is broad because the plugin is widely used, and the vulnerability can be triggered remotely over HTTP. No special network position or user interaction is required [1].

Successful exploitation allows an attacker to access functionality that is normally reserved for higher-privileged users, such as modifying login page settings, injecting malicious content, or altering site appearance. This could lead to further compromise, including phishing attacks or defacement. The vulnerability is noted to be used in mass-exploit campaigns targeting thousands of websites [1].

As a mitigation, users should immediately update the WP Customize Login Page plugin to version 1.6.6 or later, which contains the necessary authorization checks. If updating is not possible, contacting a hosting provider or web developer for assistance is recommended. No workaround is available [1].