CVE-2025-14996 | The AS Password Field In Default Registration Form plugin fo… | CVSS 9.8 CRITICAL

Description

The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Metadata

CVE ID: CVE-2025-14996
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-12-20 12:33 UTC
Published: 2026-01-06 04:31 UTC
Last updated: 2026-04-08 16:33 UTC
Primary CWE: CWE-639
CWE-639 Authorization Bypass Through User-Controlled Key
Vendor / Product: aksharsoftsolutions / AS Password Field In Default Registration Form
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
aksharsoftsolutions	AS Password Field In Default Registration Form	—	0 ≤ 2.0.0

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639 Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)