Description
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
Published: 2025-12-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The WPCOM Member plugin for WordPress is vulnerable to an authentication bypass because its OTP generation is weak, using only six numeric digits combined with a ten‑minute validity window and no rate limiting on verification attempts. An attacker who knows a target’s phone number can brute‑force the OTP, thereby authenticating as that user, including administrators, if the target does not notice or ignores the SMS notification.

Affected Systems

The vulnerability affects the whyun WPCOM Member plugin for WordPress. All released versions up to and including 1.7.16 are impacted. Users running these versions should check the plugin’s changelog or contact the vendor for an updated release that addresses the OTP weakness.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score is under 1%, suggesting low exploitation probability in the wild, and the CVE is not listed in the CISA KEV catalog. Based on the description, the attack vector is remote: an unauthenticated attacker can repeatedly submit OTP verification requests over the network. Because each attempt requires only a 6‑digit numeric code and there is no rate limiting, brute‑forcing succeeds within the 10‑minute validity period. If successful, the attacker gains full access to the target account, potentially including administrator rights, thereby compromising confidentiality, integrity, and availability of the WordPress site.

Generated by OpenCVE AI on April 21, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPCOM Member plugin to the latest available release that addresses the OTP vulnerability.
  • If a patch is not immediately available, configure stricter rate limiting on OTP verification requests or temporarily disable the OTP flow until a secure implementation is deployed.
  • Implement additional multi‑factor authentication (e.g., time‑based one‑time passwords or hardware tokens) to reduce reliance on the weak numeric OTP.
  • Verify that the plugin’s source code no longer generates a 6‑digit numeric OTP and removes the 10‑minute window without cryptographic randomness; if uncomfortable, consider removing or disabling the member module entirely until a secure version is released.

Generated by OpenCVE AI on April 21, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcom
Wpcom wpcom Member
Vendors & Products Wordpress
Wordpress wordpress
Wpcom
Wpcom wpcom Member

Tue, 16 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
Description The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
Title WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpcom Wpcom Member
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:56.535Z

Reserved: 2025-12-04T02:28:05.914Z

Link: CVE-2025-14002

cve-icon Vulnrichment

Updated: 2025-12-16T14:57:05.380Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T10:15:42.583

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses