CVE-2025-58969
Description
Missing Authorization vulnerability in Greg Winiarski Custom Login URL custom-login-url allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Login URL: from n/a through <= 1.0.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in Custom Login URL plugin (<=1.0.2) allows unauthenticated attackers to exploit incorrectly configured access controls.
The Custom Login URL plugin for WordPress versions up to 1.0.2 contains a missing authorization vulnerability [1]. This allows exploitation of incorrectly configured access control security levels, enabling unprivileged users to execute actions intended for higher-privileged roles.
An unauthenticated attacker can exploit this flaw by sending crafted requests to the plugin, bypassing authorization checks to perform privileged actions [1]. No authentication is required, making the attack vector accessible from the public internet.
Successful exploitation could allow an attacker to modify sensitive plugin settings, such as custom login URLs, potentially redirecting users to malicious sites or disrupting authentication [1]. The CVSS score is 5.3 (Medium), though the vendor rates it as low severity and unlikely to be widely exploited.
The vulnerability is patched in version 1.0.3. Users are urged to update immediately. Patchstack users can enable auto-updates for vulnerable plugins [1]. If unable to update, consult hosting providers or web developers for assistance.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.0.2+ 1 more
- (no CPE)range: <=1.0.2
- (no CPE)range: <=1.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.