CVE-2025-14002
WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP
CVSS Score
8.1
EPSS Score
0.0%
EPSS Percentile
0th
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
| CWE | CWE-287 |
| Vendor | whyun |
| Product | wpcom member |
| Published | Dec 16, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for whyun wpcom member
Be the first to know when new high vulnerabilities affecting whyun wpcom member are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
whyun / WPCOM Member
0 โค 1.7.16
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e1-e2897ff2a4c4?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/class-sesstion.php#L29 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/member-functions.php#L833 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member
Credits
wesley