What the vulnerability does
01Description
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
Explanation of Vulnerability in Simple Terms
02Summary
WPCOM Member versions 1.7.16 and earlier contain an authentication flaw that allows attackers to bypass login controls without valid credentials. The vulnerability requires specific network conditions to exploit but grants full read and write access to the site. All users of this product should update immediately.
What an attacker can do
03Attacker Capabilities
Bypass authentication and gain full read/write access to the site without valid credentials.
Potential impact on your site
04Site Impact
Attackers can read and modify all site data, including user accounts and content, without logging in.
Conditions required to exploit
05Prerequisites
Network access to the site; no user interaction or authentication required.
Key dates
06Disclosure timeline
December 16, 2025
CVE published
April 8, 2026
Record updated