CVE-2025-1475
📋 TL;DR
The WPCOM Member WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any existing user, including administrators, when SMS login is enabled. This affects all versions up to and including 1.7.5. WordPress sites using this plugin with SMS authentication are vulnerable.
💻 Affected Systems
- WPCOM Member WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to WordPress sites, enabling complete site takeover, data theft, malware injection, and defacement.
Likely Case
Attackers compromise user accounts to steal sensitive data, escalate privileges, or deploy backdoors for persistent access.
If Mitigated
With SMS login disabled, the vulnerability cannot be exploited, though the plugin remains vulnerable if SMS is later enabled.
🎯 Exploit Status
Exploitation requires sending crafted requests to the login endpoint with manipulated user_phone parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.6
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3248208/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPCOM Member plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 1.7.6+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable SMS Login
allTemporarily disable SMS authentication feature in plugin settings to prevent exploitation.
Disable Plugin
allDeactivate WPCOM Member plugin until patched.
🧯 If You Can't Patch
- Disable SMS login feature immediately in plugin settings.
- Implement web application firewall rules to block requests containing manipulated user_phone parameters.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for WPCOM Member version <= 1.7.5.Check Version:
wp plugin list --name=wpcom-member --field=versionVerify Fix Applied:
Confirm WPCOM Member plugin version is 1.7.6 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual login attempts with user_phone parameter manipulation in WordPress or web server logs.
- Multiple failed login attempts followed by successful login from same IP with different user accounts.
Network Indicators:
- HTTP POST requests to /wp-login.php or plugin-specific endpoints containing user_phone parameter with unexpected values.
SIEM Query:
source="wordpress.log" AND "user_phone" AND (status=200 OR "login successful")