CVE-2025-1475
Published: 07 March 2025
Description
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-1475 is an authentication bypass vulnerability affecting the WPCOM Member plugin for WordPress in all versions up to and including 1.7.5. The issue stems from insufficient verification of the 'user_phone' parameter during login processes, specifically when SMS login is enabled. Published on 2025-03-07 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it is mapped to CWE-287 (Improper Authentication).
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the 'user_phone' parameter, they can log in as any existing user on the site, including administrators, granting full access to the targeted account's privileges if SMS login is enabled.
Mitigation guidance from advisories, including Wordfence's threat intelligence report, recommends updating the WPCOM Member plugin to a patched version beyond 1.7.5. The WordPress plugin trac shows the vulnerability in form-validation.php at line 110 in tag 1.7.1 and a fix in changeset 3248208. Disabling SMS login provides a temporary workaround until patching.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The auth bypass in a public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) for initial access and abuse of valid accounts (T1078) by allowing login as any user including admins without credentials.