CVE-2025-7955

CRITICAL 9.8

RingCentral Communications 1.5 - 1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user simply by supplying identical bogus codes.

CWE	CWE-287
Vendor	pbmacintyre
Product	ringcentral communications plugin – free
Published	Aug 28, 2025
Last Updated	Aug 28, 2025

Stay Ahead of the Next One

Get instant alerts for pbmacintyre ringcentral communications plugin – free

Be the first to know when new critical vulnerabilities affecting pbmacintyre ringcentral communications plugin – free are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

pbmacintyre / RingCentral Communications Plugin – FREE

1.5 ≤ 1.6.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/0386ed09-296d-4f33-9fe0-964c0c0a9652?source=cve wordpress.org: https://wordpress.org/plugins/rccp-free/#developers plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/rccp-free/tags/1.6.8/ringcentral.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3349361/

Credits

Kenneth Dunn