WP Reset is a widely used WordPress utility (400k+ installs) that accelerates development and recovery by resetting sites, managing snapshots, and handling licensing for its Pro features. During testing, we discovered CVE-2025-10645, a sensitive-data exposure flaw: when licensing is invoked, the plugin writes the submitted license key verbatim to a log file located under the publicly reachable wp-content/ directory. Because the logger is initialized with debug => true and no masking is applied to license_key, the log ends up disclosing raw keys alongside rich site metadata and server responses—all retrievable unauthenticated over HTTP on default setups.
| CVE | CVE-2025-10645 |
| Plugin Version | WP Reset <= 2.05 |
| Critical | High |
| All Time | 9 529 498 |
| Active installations | 400 000+ |
| Publicly Published | October 9, 2025 |
| Last Updated | October 9, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10645 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-reset-2/wp-reset-205-unauthenticated-sensitive-information-exposure-via-wf-licensinglog |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| September 16, 2025 | Plugin testing and vulnerability detection in the WP Reset have been completed |
| September 16, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 9, 2025 | Registered CVE-2025-10645 |
Discovery of the Vulnerability
The issue manifests in the licensing routine: on each validate/activate/deactivate attempt, WP Reset emits a structured log entry to wp-content/wf-licensing.log. The entry includes a timestamp; the licensing endpoint URL; the full request payload (site URL and title, WP and plugin versions, the exact license key, and a request nonce/random value); and the server response (status, message/body), plus exception stack traces on failures. Because the log is placed inside the webroot without access controls and the logger runs by default with verbose mode on, any internet user who knows or guesses the path can fetch it directly.
Understanding of Sensitive Data Exposure attack’s
Security best practices require that:
- Secrets are never logged in cleartext (keys, tokens, passwords) – mask/redact at source.
- Logs are not web-served – keep them outside the document root or restrict access server-side.
- Debug logging is off in production – especially when it serializes request/response bodies.
Real-world incidents echo this pattern: licensing and payment gateways occasionally leave tokens in debug logs; backup and SMTP plugins have exposed credentials via public log files; and even core web server logs have leaked Authorization headers. CVE-2025-10645 falls squarely in this class—cleartext secret + public path—which is high severity despite the absence of code execution, because it enables license abuse and follow-on account or infrastructure attacks using the abundant metadata.
Exploiting the Sensitive Data Exposure Vulnerability
To exploit CVE-2025-10645, an attacker with no cookies:
POC:
Try to add some key in settings then try to fetch -> http://127.0.0.1/wordpress/wp-content/wf-licensing.log____
License/Asset Abuse: Attackers reuse keys to activate Pro features elsewhere or resell them.
Targeted Attacks: Version strings + site URL/title fuel tailored exploits or phishing.
Configuration/Key Leakage: Response bodies and diagnostics may reveal endpoints, tenant IDs, or troubleshooting output that accelerates compromise.
Compliance/Privacy Impact: If logs capture emails, organization names, or other identifiers, the site owner faces GDPR/CCPA exposure and reputational harm.
Chaining Opportunities: Exposed nonces/randoms and environment footprints can assist in broader kill chains (credential-stuffing, plugin-specific RCEs, social engineering).
Recommendations for Improved Security
Update WP Reset plugin to a patched release as soon as it’s available.
By taking proactive measures to address Sensitive Data Exposure vulnerabilities like CVE-2025-10645 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #SensitiveDataExsposure #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.