CVE-2025-14002 HIGH

CVE-2025-14002: WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP

Vendor Whyun
Product WPCOM Member
Weakness CWE-287 · Improper authentication
Published December 16, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.

Explanation of Vulnerability in Simple Terms

02Summary

WPCOM Member versions 1.7.16 and earlier contain an authentication flaw that allows attackers to bypass login controls without valid credentials. The vulnerability requires specific network conditions to exploit but grants full read and write access to the site. All users of this product should update immediately.

What an attacker can do

03Attacker Capabilities

Bypass authentication and gain full read/write access to the site without valid credentials.

Potential impact on your site

04Site Impact

Attackers can read and modify all site data, including user accounts and content, without logging in.

Conditions required to exploit

05Prerequisites

Network access to the site; no user interaction or authentication required.

Key dates

06Disclosure timeline

December 16, 2025 CVE published
April 8, 2026 Record updated