Vulnerability Description
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/cla
- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/mem
- https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e
FAQ
What is CVE-2025-14002?
CVE-2025-14002 is a vulnerability with a CVSS score of 8.1 (HIGH). The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using ...
How severe is CVE-2025-14002?
CVE-2025-14002 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14002?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.