Authentication Bypass Vulnerability in WPCOM Member Plugin for WordPress
CVE-2025-1475

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WPcom Member
Vendor: CVE Published:; 7 March 2025

What is CVE-2025-1475?

The WPCOM Member plugin for WordPress is susceptible to an authentication bypass vulnerability across all versions up to and including 1.7.5. This vulnerability stems from inadequate verification of the 'user_phone' parameter during the login process. As a result, unauthenticated attackers could potentially gain access to any existing user account on the site, including administrative accounts, if SMS-based login is enabled. This could lead to unauthorized actions and a compromise of the site's security. Website administrators are urged to review their plugin configurations and apply any updates to mitigate this risk.

Affected Version(s)

WPCOM Member * <= 1.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wpcom-member/t...

https://plugins.trac.wordpress.org/changeset/3248208/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Feb 19, 2025

Credit

wesley