Cyber Resilience

CVE-2025-14002

High

Published: 16 December 2025

Published
16 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 53.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14002 is a high-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-14002 is an authentication bypass vulnerability in the WPCOM Member plugin for WordPress, affecting all versions up to and including 1.7.16. The issue stems from weak OTP generation using only 6 numeric digits, a 10-minute validity window, and the absence of rate limiting on verification attempts, enabling brute-force attacks against the one-time password sent via SMS. Published on 2025-12-16 with a CVSS v3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H) and mapped to CWE-287 (Improper Authentication), it exposes WordPress sites relying on this plugin for membership management.

Unauthenticated attackers can exploit this vulnerability if they know the target user's phone number. By brute-forcing the 1,000,000 possible 6-digit codes within the 10-minute window, they can gain valid authentication sessions as any user, including administrators, provided the target does not notice or act on the SMS notification containing the OTP.

Mitigation requires updating the WPCOM Member plugin beyond version 1.7.16, as indicated by WordPress plugin repository references including source code in class-session.php (line 29), member-functions.php (line 833), and changeset 3411048 which addresses the flaw. Additional details are available in Wordfence's threat intelligence report.

EU & UK References

Vulnerability details

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute…

more

validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The vulnerability is an improper authentication bypass in a public-facing WordPress plugin (T1190) that facilitates brute-force guessing of weak OTPs due to short length, long validity window, and lack of rate limiting (T1110.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27856Shared CWE-287
CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287
CVE-2025-0637Shared CWE-287
CVE-2025-61882Shared CWE-287

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Establishes thresholds and lockouts for unsuccessful logon attempts, directly preventing brute-force attacks on OTP verification by implementing rate limiting.

prevent

Ensures authenticators like OTPs have sufficient strength of mechanism, addressing the weak 6-digit numeric generation and long 10-minute validity window.

prevent

Requires timely identification, reporting, and correction of flaws, directly mitigating this vulnerability through plugin updates beyond version 1.7.16.

References