CVE-2025-14002
Unknown Unknown - Not Provided
Authentication Bypass in WPCOM Member Plugin via OTP Brute Force

Publication date: 2025-12-16

Last updated on: 2025-12-16

Assigner: Wordfence

Description
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-16
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-12-16
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14002
EUVD
EUVD-2025-203621
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordpress wpcom-member 1.7.16
wordpress wpcom-member 1.7.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the WPCOM Member plugin for WordPress (up to version 1.7.16) is an authentication bypass via brute force. It arises because the plugin uses a weak One-Time Password (OTP) system that generates only 6-digit numeric codes, which are valid for 10 minutes. Additionally, there is no rate limiting on verification attempts. This combination allows an attacker who knows a user's phone number to repeatedly guess the OTP until successful, potentially authenticating as any user, including administrators, if the user does not notice or ignores the SMS notification.

Impact Analysis

This vulnerability can allow unauthenticated attackers to gain unauthorized access to user accounts, including administrator accounts, by brute forcing the SMS verification code. This can lead to full compromise of the affected WordPress site, including data theft, site defacement, or further exploitation. The lack of rate limiting and the long validity window of the OTP make it easier for attackers to succeed in brute force attempts.

Detection Guidance

The provided resources do not include specific detection methods or commands to identify exploitation attempts of this vulnerability on your network or system. However, since the vulnerability involves brute forcing the SMS verification code without rate limiting, monitoring repeated failed SMS verification attempts per phone number in logs or session data could help detect attacks. No explicit commands or detection tools are described in the provided text.

Mitigation Strategies

To mitigate this vulnerability, immediately update the WPCOM Member plugin to version 1.7.17 or later. This update introduces security enhancements including reducing the SMS verification code validity period (default 5 minutes, configurable), implementing a lockout mechanism after 5 failed SMS code verification attempts per phone number, and improved session management to prevent brute-force attacks. Applying this update will address the authentication bypass vulnerability described in CVE-2025-14002. [2]

Compliance Impact

The provided resources and context do not explicitly discuss the impact of the CVE-2025-14002 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. Therefore, it is not possible to determine from the given information how this authentication bypass vulnerability affects compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart