CVE-2025-14002
Authentication Bypass in WPCOM Member Plugin via OTP Brute Force
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wpcom-member | 1.7.16 |
| wordpress | wpcom-member | 1.7.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WPCOM Member plugin for WordPress (up to version 1.7.16) is an authentication bypass via brute force. It arises because the plugin uses a weak One-Time Password (OTP) system that generates only 6-digit numeric codes, which are valid for 10 minutes. Additionally, there is no rate limiting on verification attempts. This combination allows an attacker who knows a user's phone number to repeatedly guess the OTP until successful, potentially authenticating as any user, including administrators, if the user does not notice or ignores the SMS notification.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to gain unauthorized access to user accounts, including administrator accounts, by brute forcing the SMS verification code. This can lead to full compromise of the affected WordPress site, including data theft, site defacement, or further exploitation. The lack of rate limiting and the long validity window of the OTP make it easier for attackers to succeed in brute force attempts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific detection methods or commands to identify exploitation attempts of this vulnerability on your network or system. However, since the vulnerability involves brute forcing the SMS verification code without rate limiting, monitoring repeated failed SMS verification attempts per phone number in logs or session data could help detect attacks. No explicit commands or detection tools are described in the provided text.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WPCOM Member plugin to version 1.7.17 or later. This update introduces security enhancements including reducing the SMS verification code validity period (default 5 minutes, configurable), implementing a lockout mechanism after 5 failed SMS code verification attempts per phone number, and improved session management to prevent brute-force attacks. Applying this update will address the authentication bypass vulnerability described in CVE-2025-14002. [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not explicitly discuss the impact of the CVE-2025-14002 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. Therefore, it is not possible to determine from the given information how this authentication bypass vulnerability affects compliance with these regulations.