Vulnerabilities

CVE-2025-14002 - WPCOM Member <= 1.7.16 - authentication bypass via weak otp

2025-12-16 0 views admin

CVE ID : CVE-2025-14002 Published : Dec. 16, 2025, 9:20 a.m. | 29 minutes ago Description : The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

CVE ID

CVE-2025-14002

Published

Dec. 16, 2025

Affected Product: WordPress

Impact: authentication bypass

Source: Telegram CVE Monitor

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2025-14002wordpress

CVE-2025-14002 - WPCOM Member <= 1.7.16 - authentication bypass via weak otp

CVE Details

🏷️ Tags

More from Vulnerabilities

CVE-2023-53894 - phpfm 1.7.9 Authentication Bypass via Type Juggling Vulnerability

CVE-2023-53903 - WebsiteBaker 2.13.3 Stored Cross-Site Scripting via SVG File Upload

CVE-2023-53902 - WebsiteBaker 2.13.3 Directory Traversal via Media Delete Endpoint

CVE-2023-53901 - WBCE CMS 1.6.1 Cross-Site Scripting and Open Redirect Vulnerability

Trending

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

CVE-2025-43939: Dell Unity OS Command Injection (High)

Google disputes false claims of massive Gmail data breach

Microsoft: DNS outage impacts Azure and Microsoft 365 services

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting