CVE-2025-14002

High

Published: 16 December 2025

Published

16 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0036 58.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute…

validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

Establishes thresholds and lockouts for unsuccessful logon attempts, directly preventing brute-force attacks on OTP verification by implementing rate limiting.

IA-5 Authenticator Management good match

prevent

Ensures authenticators like OTPs have sufficient strength of mechanism, addressing the weak 6-digit numeric generation and long 10-minute validity window.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws, directly mitigating this vulnerability through plugin updates beyond version 1.7.16.

Security SummaryAI

CVE-2025-14002 is an authentication bypass vulnerability in the WPCOM Member plugin for WordPress, affecting all versions up to and including 1.7.16. The issue stems from weak OTP generation using only 6 numeric digits, a 10-minute validity window, and the absence of rate limiting on verification attempts, enabling brute-force attacks against the one-time password sent via SMS. Published on 2025-12-16 with a CVSS v3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H) and mapped to CWE-287 (Improper Authentication), it exposes WordPress sites relying on this plugin for membership management.

Unauthenticated attackers can exploit this vulnerability if they know the target user's phone number. By brute-forcing the 1,000,000 possible 6-digit codes within the 10-minute window, they can gain valid authentication sessions as any user, including administrators, provided the target does not notice or act on the SMS notification containing the OTP.

Mitigation requires updating the WPCOM Member plugin beyond version 1.7.16, as indicated by WordPress plugin repository references including source code in class-session.php (line 29), member-functions.php (line 833), and changeset 3411048 which addresses the flaw. Additional details are available in Wordfence's threat intelligence report.

Details

CWE(s): CWE-287

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

The vulnerability is an improper authentication bypass in a public-facing WordPress plugin (T1190) that facilitates brute-force guessing of weak OTPs due to short length, long validity window, and lack of rate limiting (T1110.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/class-sesstion.php#L29
security@wordfence.com
https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/member-functions.php#L833
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e1-e2897ff2a4c4?source=cve
security@wordfence.com