CVE-2025-1475 - Vulnerability Details

- WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'

Description

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.

Published: 2025-03-07

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WPCOM Member plugin for WordPress contains an authentication bypass flaw that stems from the plugin’s failure to properly validate the 'user_phone' parameter during login. When an attacker supplies an arbitrary phone number, the plugin accepts it as a valid credential and authenticates the request as the user associated with that number. This allows an attacker to impersonate any registered account, including administrators, without needing a password. The weakness is an authentication failure (CWE‑287) and it provides the attacker with full access to the site’s content, files, and potentially sensitive data.

Affected Systems

WordPress sites that use the whyun WPCOM Member plugin version 1.7.5 or earlier are affected. All installations that have not updated beyond 1.7.5 and that have SMS login enabled are at risk.

Risk and Exploitability

The vulnerability receives a CVSS score of 9.8, classifying it as critical. The EPSS score of less than 1% suggests that, in the current window, the probability of exploitation is low, and it is not listed in the CISA KEV catalog. Nonetheless, the attack vector is straightforward: a remote authenticated request to the login endpoint with a crafted 'user_phone' value. An attacker only needs network access to the site and the ability to send HTTP requests. Should the service allow SMS login, the attacker can simply supply any phone number that belongs to a registered user to gain full access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

whyun

WPCOM Member

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.7.5

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the WPCOM Member plugin to the latest version, which removes the user_phone validation flaw.
If the plugin cannot be upgraded immediately, disable SMS-based login or block the user_phone parameter until a patch is applied.
Monitor login activity for unexpected authentication events and apply additional access controls such as role-based permissions to limit the impact of potential account takeover.

Generated by OpenCVE AI on April 28, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7400	The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00166.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110
https://plugins.trac.wordpress.org/changeset/3248208/
https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve

History

Fri, 07 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 07 Mar 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
Title		WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'
Weaknesses		CWE-287
References		https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110 https://plugins.trac.wordpress.org/changeset/3248208/ https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-03-07T06:40:02.364Z

Updated: 2026-04-08T16:33:18.719Z

Reserved: 2025-02-19T16:29:36.050Z

Link: CVE-2025-1475

Vulnrichment

Updated: 2025-03-07T16:21:39.344Z

NVD

Status : Deferred

Published: 2025-03-07T07:15:23.343

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1475

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object