CVE-2025-12374 is an authentication bypass vulnerability classified under CWE-287 affecting the 'User Verification by PickPlugins' WordPress plugin, specifically versions up to and including 2.0.39. The vulnerability stems from improper validation logic within the 'user_verification_form_wrap_process_otpLogin' function, where the plugin does not confirm that an OTP was generated before comparing the input OTP value. This logical flaw allows an attacker to submit an empty OTP value and bypass the authentication process entirely. Consequently, an unauthenticated attacker can impersonate any user with a verified email address, including high-privilege accounts such as administrators. The vulnerability is remotely exploitable over the network without any authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score of 9.8 reflects its criticality, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the simplicity of the bypass and the widespread use of WordPress and this plugin increase the likelihood of exploitation. The lack of available patches at the time of publication further exacerbates the risk.

For European organizations, this vulnerability poses a severe risk to WordPress-based websites and web applications that utilize the affected plugin. Successful exploitation results in full compromise of user accounts, including administrators, enabling attackers to execute arbitrary actions such as data theft, website defacement, malware deployment, or pivoting to internal networks. This can lead to significant data breaches, loss of customer trust, regulatory penalties under GDPR, and operational disruptions. Organizations relying on WordPress for e-commerce, content management, or internal portals are particularly vulnerable. The critical nature of the vulnerability means that even organizations with strong perimeter defenses can be compromised if the plugin is installed and unpatched. The absence of user interaction or authentication requirements lowers the barrier for attackers, increasing the risk of automated mass exploitation campaigns targeting European entities.

Immediate mitigation involves updating the 'User Verification by PickPlugins' plugin to a patched version once available. Until a patch is released, organizations should consider disabling the plugin entirely to eliminate the attack vector. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block requests with empty OTP parameters targeting the vulnerable function can provide temporary protection. Monitoring WordPress logs for suspicious login attempts with empty or missing OTP values is recommended to detect exploitation attempts. Additionally, enforcing multi-factor authentication (MFA) at the WordPress login level can reduce the impact of compromised credentials. Organizations should audit their WordPress installations to identify the presence of this plugin and verify that all user accounts have strong, unique passwords. Regular backups and incident response plans should be updated to prepare for potential compromise scenarios. Finally, educating administrators about the risk and signs of exploitation will enhance detection and response capabilities.