CVE-2025-14996
Unknown Unknown - Not Provided

Privilege Escalation in AS Password Field Plugin via Account Takeover

Vulnerability report for CVE-2025-14996, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: Wordfence

Description

The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-07-06
AI Q&A
2026-01-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
akshar_soft_solutions as_password_field_in_default_registration_form to 2.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the AS Password Field In Default Registration Form WordPress plugin up to version 2.0.0. It allows unauthenticated attackers to escalate privileges by taking over accounts. The plugin adds a password field to the registration form and overrides the default random password generation with the user-supplied password without properly validating the user's identity before allowing password updates. This flaw enables attackers to change any user's password, including administrators, thereby gaining unauthorized access to those accounts. [1]

Impact Analysis

The vulnerability can have severe impacts as it allows attackers to change passwords of arbitrary users without authentication. This includes administrator accounts, which means attackers can gain full control over the affected WordPress site. Such unauthorized access can lead to data breaches, site defacement, loss of data integrity, and potential further exploitation of the compromised system. [1]

Detection Guidance

Detection can focus on monitoring HTTP POST requests to the WordPress registration endpoint that include the parameter 'as_user_password'. Inspecting web server logs or using tools like curl or wget to simulate registration attempts with this parameter may help identify exploitation attempts. For example, a command to test might be: curl -X POST -d "user_login=testuser&[email protected]&as_user_password=Password123" https://yourwordpresssite.com/wp-login.php?action=register. Additionally, reviewing user password changes without proper authentication could indicate exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include updating or removing the vulnerable 'AS Password Field In Default Registration Form' plugin if an update fixing the issue is available. If no patch exists, disable or uninstall the plugin to prevent exploitation. Additionally, monitor user accounts for unauthorized password changes and enforce strong password policies through other means. Restricting registration or adding additional validation layers can also help reduce risk until a fix is applied. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14996. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart