Cyber Resilience

CVE-2025-12374

Critical

Published: 05 December 2025

Published
05 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 66.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-12374 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-12374 is an authentication bypass vulnerability in the Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress, affecting all versions up to and including 2.0.44. The issue stems from the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function, mapped to CWE-287 (Improper Authentication). Published on 2025-12-05 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it enables critical unauthorized access.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. By submitting an empty OTP value, they can log in as any user with a verified email address, such as an administrator, granting full compromise of confidentiality, integrity, and availability for the targeted account and potentially the entire site.

Advisories and plugin references, including the Wordfence threat intelligence page, WordPress plugin trac code at hook.php line 141, and changeset 3442150, detail the flaw and associated fixes. Mitigation involves updating to a version beyond 2.0.44, where the validation logic is presumably corrected.

EU & UK References

Vulnerability details

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not…

more

properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application (T1190) to impersonate any user and compromise the site.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287
CVE-2025-0637Shared CWE-287
CVE-2025-61882Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of identified software flaws, directly addressing the authentication bypass by updating the vulnerable WordPress plugin beyond version 2.0.44.

prevent

Ensures proper management and verification of OTP authenticators, preventing bypasses from insufficient checks on OTP generation prior to input comparison.

prevent

Mandates enforcement of approved authorizations, mitigating unauthorized access enabled by the plugin's flawed OTP validation logic.

References