CVE-2025-14002
Published: 16 December 2025
Summary
CVE-2025-14002 is a high-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Establishes thresholds and lockouts for unsuccessful logon attempts, directly preventing brute-force attacks on OTP verification by implementing rate limiting.
Ensures authenticators like OTPs have sufficient strength of mechanism, addressing the weak 6-digit numeric generation and long 10-minute validity window.
Requires timely identification, reporting, and correction of flaws, directly mitigating this vulnerability through plugin updates beyond version 1.7.16.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an improper authentication bypass in a public-facing WordPress plugin (T1190) that facilitates brute-force guessing of weak OTPs due to short length, long validity window, and lack of rate limiting (T1110.001).
NVD Description
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute…
more
validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP.
Deeper analysisAI
CVE-2025-14002 is an authentication bypass vulnerability in the WPCOM Member plugin for WordPress, affecting all versions up to and including 1.7.16. The issue stems from weak OTP generation using only 6 numeric digits, a 10-minute validity window, and the absence of rate limiting on verification attempts, enabling brute-force attacks against the one-time password sent via SMS. Published on 2025-12-16 with a CVSS v3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H) and mapped to CWE-287 (Improper Authentication), it exposes WordPress sites relying on this plugin for membership management.
Unauthenticated attackers can exploit this vulnerability if they know the target user's phone number. By brute-forcing the 1,000,000 possible 6-digit codes within the 10-minute window, they can gain valid authentication sessions as any user, including administrators, provided the target does not notice or act on the SMS notification containing the OTP.
Mitigation requires updating the WPCOM Member plugin beyond version 1.7.16, as indicated by WordPress plugin repository references including source code in class-session.php (line 29), member-functions.php (line 833), and changeset 3411048 which addresses the flaw. Additional details are available in Wordfence's threat intelligence report.
Details
- CWE(s)