CVE-2025-14002: CWE-287 Improper Authentication in whyun WPCOM Member
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
AI Analysis
Technical Summary
CVE-2025-14002 is an authentication bypass vulnerability in the WPCOM Member plugin for WordPress. The issue arises from weak OTP generation consisting of only 6 numeric digits combined with a 10-minute validity window and absence of rate limiting on OTP verification attempts. This design flaw enables attackers to brute-force the OTP and authenticate as any user if the target's phone number is known. The vulnerability affects all plugin versions up to 1.7.16 and can lead to full compromise of confidentiality, integrity, and availability of affected accounts.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and gain access to user accounts, including administrators, by brute-forcing the OTP. This compromises user account security, potentially leading to full control over the WordPress site and its data. The vulnerability has a high CVSS score of 8.1, reflecting significant impact on confidentiality, integrity, and availability.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. As a temporary mitigation, administrators should consider disabling the vulnerable OTP feature or implementing additional rate limiting and monitoring on OTP verification attempts. Awareness of the risk of SMS-based OTP brute forcing should be raised among users. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2025-14002: CWE-287 Improper Authentication in whyun WPCOM Member
Description
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14002 is an authentication bypass vulnerability in the WPCOM Member plugin for WordPress. The issue arises from weak OTP generation consisting of only 6 numeric digits combined with a 10-minute validity window and absence of rate limiting on OTP verification attempts. This design flaw enables attackers to brute-force the OTP and authenticate as any user if the target's phone number is known. The vulnerability affects all plugin versions up to 1.7.16 and can lead to full compromise of confidentiality, integrity, and availability of affected accounts.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and gain access to user accounts, including administrators, by brute-forcing the OTP. This compromises user account security, potentially leading to full control over the WordPress site and its data. The vulnerability has a high CVSS score of 8.1, reflecting significant impact on confidentiality, integrity, and availability.
Mitigation Recommendations
No official patch or fix is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. As a temporary mitigation, administrators should consider disabling the vulnerable OTP feature or implementing additional rate limiting and monitoring on OTP verification attempts. Awareness of the risk of SMS-based OTP brute forcing should be raised among users. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-04T02:28:05.914Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69412552594e45819d817425
Added to database: 12/16/2025, 9:24:34 AM
Last enriched: 4/9/2026, 4:40:37 PM
Last updated: 5/10/2026, 10:11:18 AM
Views: 201
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.