CVE-2025-12374
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12374
EUVD
EUVD-2025-201358
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress user_verification *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress, versions up to and including 2.0.39. It is an authentication bypass issue caused by the plugin not properly validating whether a One-Time Password (OTP) was generated before comparing it to the user's input. As a result, an unauthenticated attacker can log in as any user with a verified email address, including administrators, by submitting an empty OTP value.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to bypass authentication and gain access to any user account with a verified email address, including administrator accounts. This can lead to full compromise of the affected WordPress site, allowing attackers to steal data, modify content, install malicious code, or disrupt services.

Detection Guidance

This vulnerability can be detected by monitoring login attempts where the OTP value is empty or missing but still results in a successful login. Specifically, look for authentication attempts to the WordPress site using the User Verification plugin's OTP login endpoint with empty OTP parameters. Network monitoring tools or web server logs can be searched for POST requests to the OTP login form with empty or missing OTP fields. Commands such as using grep on web server logs to find such requests can be helpful, for example: `grep 'otp=' /path/to/access.log | grep -v 'otp=[^&]'` to find requests with empty OTP values. Additionally, monitoring for unusual successful logins without corresponding OTP generation events may indicate exploitation. [2]

Mitigation Strategies

Immediate mitigation steps include updating the User Verification plugin to a version later than 2.0.39 where this vulnerability is fixed. If an update is not immediately possible, temporarily disabling the Email OTP login feature or the entire User Verification plugin can prevent exploitation. Additionally, enabling other authentication protections such as reCAPTCHA (noting that it is currently commented out in the plugin code) or multi-factor authentication can help reduce risk. Monitoring and limiting login attempts and ensuring that only verified email addresses can log in may also help mitigate the issue until a patch is applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12374. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart