The vulnerability identified as CVE-2025-12374 affects the 'User Verification by PickPlugins' WordPress plugin, specifically versions up to and including 2.0.39. This plugin provides features such as Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, and Magic Login. The core issue lies in the 'user_verification_form_wrap_process_otpLogin' function, where the plugin does not properly validate whether an OTP was generated before comparing it to the user-submitted OTP value. As a result, an attacker can submit an empty OTP value and bypass the authentication mechanism entirely. This flaw allows unauthenticated attackers to log in as any user who has a verified email address in the system, including high-privilege accounts like administrators. The vulnerability is classified under CWE-287 (Improper Authentication), indicating a failure to correctly verify user credentials. The CVSS v3.1 base score is 9.8, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, meaning the attack can be performed remotely over the network without any privileges or user interaction, and it results in complete compromise of confidentiality, integrity, and availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the vulnerability is publicly disclosed and thus poses a significant risk. The plugin is widely used in WordPress sites for user verification and login enhancements, increasing the potential attack surface. Attackers exploiting this vulnerability could gain full administrative control, leading to data theft, site defacement, malware deployment, or pivoting to other internal systems.

The impact of CVE-2025-12374 is severe and far-reaching. Successful exploitation allows attackers to bypass authentication controls and gain unauthorized access to any user account with a verified email, including administrators. This can lead to full site compromise, data breaches involving sensitive user information, unauthorized content modification, and potential deployment of malicious code or ransomware. For organizations relying on WordPress for their websites or internal portals, this vulnerability threatens the confidentiality, integrity, and availability of their systems. The ability to login without credentials means attackers can evade detection and maintain persistent access. This could disrupt business operations, damage reputation, and result in regulatory penalties if personal or financial data is exposed. The vulnerability's ease of exploitation and lack of required user interaction increase the likelihood of automated attacks and widespread exploitation once proof-of-concept code becomes available. Given WordPress's global popularity, the vulnerability could affect a large number of organizations, especially those using this specific plugin for user verification and login management.

1. Immediate mitigation involves disabling the 'User Verification by PickPlugins' plugin until a secure patch is released. 2. Monitor WordPress plugin updates closely and apply any security patches from PickPlugins as soon as they become available. 3. Implement additional multi-factor authentication (MFA) mechanisms at the WordPress login level to add a layer of security independent of the vulnerable plugin. 4. Restrict administrative access by IP whitelisting or VPN-only access where feasible to reduce exposure. 5. Audit user accounts with verified email addresses and remove or re-verify any suspicious or unused accounts. 6. Employ Web Application Firewalls (WAFs) with custom rules to detect and block login attempts with empty or malformed OTP values. 7. Conduct regular security assessments and penetration testing focused on authentication mechanisms. 8. Educate site administrators on the risks and signs of compromise related to this vulnerability. 9. Maintain comprehensive logging and monitoring to detect anomalous login activities promptly. 10. Consider alternative plugins or custom solutions for user verification that have undergone thorough security review.