CVE-2025-12374
BaseFortify
Publication date: 2025-12-05
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | user_verification | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login β User Verification plugin for WordPress, versions up to and including 2.0.39. It is an authentication bypass issue caused by the plugin not properly validating whether a One-Time Password (OTP) was generated before comparing it to the user's input. As a result, an unauthenticated attacker can log in as any user with a verified email address, including administrators, by submitting an empty OTP value.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to bypass authentication and gain access to any user account with a verified email address, including administrator accounts. This can lead to full compromise of the affected WordPress site, allowing attackers to steal data, modify content, install malicious code, or disrupt services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring login attempts where the OTP value is empty or missing but still results in a successful login. Specifically, look for authentication attempts to the WordPress site using the User Verification plugin's OTP login endpoint with empty OTP parameters. Network monitoring tools or web server logs can be searched for POST requests to the OTP login form with empty or missing OTP fields. Commands such as using grep on web server logs to find such requests can be helpful, for example: `grep 'otp=' /path/to/access.log | grep -v 'otp=[^&]'` to find requests with empty OTP values. Additionally, monitoring for unusual successful logins without corresponding OTP generation events may indicate exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the User Verification plugin to a version later than 2.0.39 where this vulnerability is fixed. If an update is not immediately possible, temporarily disabling the Email OTP login feature or the entire User Verification plugin can prevent exploitation. Additionally, enabling other authentication protections such as reCAPTCHA (noting that it is currently commented out in the plugin code) or multi-factor authentication can help reduce risk. Monitoring and limiting login attempts and ensuring that only verified email addresses can log in may also help mitigate the issue until a patch is applied. [2]