CVE-2025-9967

CVE-2025-9967 is a privilege escalation vulnerability via account takeover in the Orion SMS OTP Verification plugin for WordPress, affecting all versions up to and including 1.1.7. The issue stems from the plugin failing to properly validate a user's identity before updating their password, allowing unauthorized password changes. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability was published on 2025-10-15.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. If an attacker knows a target user's phone number, they can reset that user's password to a one-time password (OTP), enabling full account takeover and potential privilege escalation to administrative levels depending on the victim's role.

Advisories and related resources, including the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/b121fdb4-93a8-400c-89c2-3195cb40e03c?source=cve), plugin changelog (https://plugins.trac.wordpress.org/log/orion-sms-otp-verification/), and reset-password.js source code (https://plugins.trac.wordpress.org/browser/orion-sms-otp-verification/trunk/vendor/js/reset-password.js), provide further details on the flaw for mitigation planning, such as updating to a patched version if available.