CVE-2025-12374 is a critical vulnerability classified under CWE-287 (Improper Authentication) found in the 'User Verification by PickPlugins' WordPress plugin, which provides features like Email Verification, Email OTP, Passwordless login, and Magic Login. The vulnerability exists in all versions up to and including 2.0.39 due to improper validation logic in the 'user_verification_form_wrap_process_otpLogin' function. Specifically, the plugin does not verify whether an OTP was actually generated before comparing the user-submitted OTP value. This logical flaw allows an attacker to bypass the OTP verification step by submitting an empty OTP, effectively bypassing authentication controls. Consequently, an unauthenticated attacker can log in as any user with a verified email address, including high-privilege accounts such as administrators. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical nature with network attack vector, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. Although no public exploits have been observed, the ease of exploitation and the severity of impact make this a high-risk threat. The lack of available patches necessitates immediate defensive actions to prevent exploitation. The vulnerability affects a widely used WordPress plugin, increasing the potential attack surface for websites relying on it for user verification and authentication.

For European organizations, this vulnerability poses a severe risk of unauthorized access to WordPress websites and associated backend systems. Attackers exploiting this flaw can impersonate any user, including administrators, leading to full site compromise. This can result in data breaches involving sensitive customer and employee information, defacement of websites, insertion of malicious content, or use of compromised sites as pivot points for further network intrusion. The integrity and availability of web services can be severely disrupted, affecting business operations and reputation. Given the widespread use of WordPress across Europe, especially in sectors like e-commerce, government, education, and media, the potential impact is extensive. Organizations with compliance obligations under GDPR face additional risks of regulatory penalties due to unauthorized data access. The vulnerability's ease of exploitation without authentication or user interaction further elevates the threat level, making it a prime target for automated attacks and mass exploitation campaigns.

Until an official patch is released, European organizations should take immediate and specific actions to mitigate this vulnerability: 1) Disable or uninstall the 'User Verification by PickPlugins' plugin to eliminate the attack vector. 2) If disabling the plugin is not feasible, restrict access to the WordPress login page using IP whitelisting or VPN-only access to limit exposure. 3) Implement Web Application Firewall (WAF) rules to detect and block login attempts with empty OTP values or anomalous authentication patterns related to this plugin. 4) Enforce multi-factor authentication (MFA) at the WordPress level or via external identity providers to add an additional security layer. 5) Monitor WordPress logs for suspicious login attempts or unusual user activity, focusing on accounts with verified emails. 6) Prepare for rapid patch deployment by subscribing to vendor notifications and security mailing lists. 7) Conduct an audit of all WordPress sites within the organization to identify installations of the vulnerable plugin and prioritize remediation. 8) Educate administrators about the risk and ensure strong password policies are in place as a secondary defense.