CVE-2025-14002
📋 TL;DR
The WPCOM Member WordPress plugin has an authentication bypass vulnerability that allows attackers to brute-force 6-digit OTP codes within a 10-minute window. This enables unauthenticated attackers to log in as any user, including administrators, if they know the target's phone number. All WordPress sites using WPCOM Member version 1.7.16 or earlier are affected.
💻 Affected Systems
- WPCOM Member WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, allowing complete site takeover, data theft, malware installation, and defacement.
Likely Case
Attackers compromise user accounts to steal sensitive data, send spam, or escalate privileges to administrative access.
If Mitigated
Attackers are blocked by rate limiting or fail to brute-force within the 10-minute window, resulting in no compromise.
🎯 Exploit Status
Brute-forcing 6-digit numeric codes (1,000,000 combinations) is trivial with automated tools, especially without rate limiting.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.17 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPCOM Member and update to version 1.7.17 or later. 4. Verify the update completes successfully.
🔧 Temporary Workarounds
Implement Rate Limiting via WAF
allConfigure web application firewall to limit OTP verification attempts per IP address.
# Example for ModSecurity: SecRule REQUEST_URI "@contains /wpcom-member/otp-verify" "phase:2,id:1001,block,msg:'WPCOM Member OTP brute-force attempt',chain"
SecRule &IP:wpcom_otp_attempts "@gt 10" "setvar:ip.wpcom_otp_attempts=+1,expirevar:ip.wpcom_otp_attempts=600"
Disable WPCOM Member Plugin
linuxTemporarily disable the plugin until patched to prevent exploitation.
wp plugin deactivate wpcom-member
🧯 If You Can't Patch
- Disable the WPCOM Member plugin immediately via WordPress admin or command line.
- Implement network-level rate limiting for all requests to /wpcom-member/ paths using a WAF or load balancer.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WPCOM Member version 1.7.16 or earlier.Check Version:
wp plugin list --name=wpcom-member --field=versionVerify Fix Applied:
Confirm WPCOM Member is updated to version 1.7.17 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Multiple failed OTP verification attempts from single IP address within short timeframes
- Successful logins from unusual IP addresses after OTP verification attempts
Network Indicators:
- High volume of POST requests to /wpcom-member/otp-verify endpoints
- Traffic patterns showing brute-force attempts (e.g., sequential numeric requests)
SIEM Query:
source="web_logs" AND uri_path="/wpcom-member/otp-verify" AND status=200 | stats count by src_ip | where count > 10🔗 References
- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/class-sesstion.php#L29
- https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/member-functions.php#L833
- https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e1-e2897ff2a4c4?source=cve
