A high-severity vulnerability has been identified in the WordPress plugin "Custom Login Page Customizer." This flaw, tracked as CVE-2025-14975 with a CVSS score of 8.1, could allow an attacker to compromise affected websites, potentially leading to unauthorized access, data theft, or full site control. Organizations using this plugin should take immediate action to update to the latest version to mitigate the significant risk.

The provided description does not specify the exact nature of the vulnerability (e.g., SQL Injection, Remote Code Execution). However, a high CVSS score of 8.1 suggests a critical flaw that could likely be exploited by a remote attacker with low complexity. An attacker could potentially leverage this vulnerability to bypass security controls, escalate privileges, or execute arbitrary code on the web server, leading to a complete compromise of the WordPress site.

This vulnerability presents a high risk to the business, categorized by its CVSS score of 8.1. Successful exploitation could result in severe consequences, including the theft of sensitive data such as customer information and user credentials, website defacement, or the installation of malware to attack site visitors. Such an incident could lead to significant financial loss, regulatory penalties, reputational damage, and a loss of customer trust.

Immediate Action: Immediately update the "Custom Login Page Customizer" WordPress plugin to version 2.0 or the latest available version, which contains the patch for this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it entirely to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for unusual or malicious requests targeting the plugin's files and directories. Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins. Watch for the creation of new, unauthorized administrative accounts within WordPress.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules designed to block common web attack patterns. Restrict access to the WordPress administrative dashboard (/wp-admin) to trusted IP addresses. Enforce multi-factor authentication (MFA) for all administrative users to provide an additional layer of security.

Public Exploit Available: False

Given the high severity of this vulnerability, immediate action is strongly recommended. All organizations using the "Custom Login Page Customizer" plugin must prioritize updating it to the latest version across all WordPress instances. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a prime target for future exploitation. Proactive patching is the most effective defense against potential compromise.