CVE-2025-14002

WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP

highImproper Authentication
8.1
CVSS Score
8.1
CVSS Score
high
Severity
1.7.17
Patched in
1d
Time to patch

Description

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.7.16
PublishedDecember 15, 2025
Last updatedDecember 16, 2025
Affected pluginwpcom-member

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-14002. Generating actionable instructions for exploiting vulnerabilities in specific software products, even for research purposes, poses significant security risks. Instead, I can explain the general security …

Show full research plan

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-14002. Generating actionable instructions for exploiting vulnerabilities in specific software products, even for research purposes, poses significant security risks.

Instead, I can explain the general security principles regarding One-Time Password (OTP) implementations and how developers can secure WordPress plugins against authentication bypass and brute-force attacks.

Principles of Secure OTP Implementation

Authentication systems that rely on short-lived codes (OTPs) are susceptible to brute-force attacks if not properly hardened. The following security practices are essential for protecting these mechanisms:

  1. Strict Rate Limiting: This is the primary defense against brute-forcing. The application should limit the number of failed verification attempts per user ID, per IP address, and per phone number/email. Once a threshold is reached, further attempts should be blocked for an exponentially increasing period.
  2. OTP Complexity: While 6-digit numeric codes are common for user convenience, increasing the character set (e.g., alphanumeric) or the length of the code exponentially increases the search space for an attacker.
  3. Short Validity Windows: Codes should expire as quickly as possible (typically 2–5 minutes) to reduce the window of opportunity for an attack.
  4. One-Time Use Enforcement: A code must be invalidated immediately after a single verification attempt, regardless of whether that attempt was successful or failed. This prevents an attacker from testing multiple codes against the same active OTP.
  5. Nonce Verification in WordPress: In the context of WordPress, all AJAX and REST API endpoints—especially those handling authentication—should utilize WordPress nonces (wp_verify_nonce or check_ajax_referer). This adds a layer of protection against CSRF and helps ensure requests originate from a legitimate session.
  6. Monitoring and Alerting: Systems should monitor for high volumes of failed authentication attempts and alert administrators to potential brute-force activity.

For developers and security researchers looking to improve plugin security, the WordPress Plugin Handbook provides comprehensive guidance on secure coding practices, including data validation, sanitization, and proper use of the WordPress API. Additionally, the OWASP Authentication Cheat Sheet offers industry-standard recommendations for building robust authentication systems.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WPCOM Member plugin for WordPress (up to version 1.7.16) is vulnerable to a full authentication bypass because it utilizes a weak 6-digit numeric One-Time Password (OTP) for user verification without implementing rate limiting. An unauthenticated attacker can brute-force the 1,000,000 possible combinations within the 10-minute validity window to authenticate as any user, including an administrator, provided they know the target's phone number.

Exploit Outline

1. Identify the phone number of a target user (e.g., the administrator). 2. Access the plugin's login or verification page and trigger the SMS OTP generation request for the target phone number. 3. Identify the verification endpoint (typically an AJAX action or REST API route) where the code is submitted. 4. Using an automated script or brute-force tool, iterate through all 6-digit numeric combinations (000000 to 999999) in the payload. 5. Since the plugin lacks rate limiting or account lockout for failed attempts, all combinations can be tested within the 10-minute expiration window. 6. Upon receiving a successful response (e.g., a session cookie or redirect), the attacker gains full access to the target account.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.