CVE-2025-12374

Critical

Published: 05 December 2025

Published

05 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0045 63.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not…

properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of identified software flaws, directly addressing the authentication bypass by updating the vulnerable WordPress plugin beyond version 2.0.44.

IA-5 Authenticator Management good match

prevent

Ensures proper management and verification of OTP authenticators, preventing bypasses from insufficient checks on OTP generation prior to input comparison.

AC-3 Access Enforcement partial match

prevent

Mandates enforcement of approved authorizations, mitigating unauthorized access enabled by the plugin's flawed OTP validation logic.

Security SummaryAI

CVE-2025-12374 is an authentication bypass vulnerability in the Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress, affecting all versions up to and including 2.0.44. The issue stems from the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function, mapped to CWE-287 (Improper Authentication). Published on 2025-12-05 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it enables critical unauthorized access.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. By submitting an empty OTP value, they can log in as any user with a verified email address, such as an administrator, granting full compromise of confidentiality, integrity, and availability for the targeted account and potentially the entire site.

Advisories and plugin references, including the Wordfence threat intelligence page, WordPress plugin trac code at hook.php line 141, and changeset 3442150, detail the flaw and associated fixes. Mitigation involves updating to a version beyond 2.0.44, where the validation logic is presumably corrected.

Details

CWE(s): CWE-287

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application (T1190) to impersonate any user and compromise the site.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php#L141
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442150%40user-verification&new=3442150%40user-verification&sfp_email=&sfph_mail=
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve
security@wordfence.com