Cyber Resilience

CVE-2025-7692

High

Published: 22 July 2025

Published
22 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 58.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7692 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-7692 is an authentication bypass vulnerability in the Orion Login with SMS plugin for WordPress, affecting all versions up to and including 1.0.5. The flaw arises in the olws_handle_verify_phone() function, which relies on a weak one-time password (OTP) value, exposes the hash needed to generate the OTP, and enforces no limits on the number of code submission attempts. This CWE-288 issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential for high confidentiality, integrity, and availability impacts over the network.

Unauthenticated attackers can exploit the vulnerability if they obtain a target user's phone number. By leveraging the exposed hash and unlimited guesses against the predictable OTP, they can impersonate any user, including administrators, gaining unauthorized access to the WordPress site without valid credentials.

Advisories detailing the vulnerability and mitigation are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/31a47cbd-c19b-4ac3-87ed-2d4c5c0e9cb7?source=cve and the plugin's WordPress page at https://wordpress.org/plugins/orion-login-with-sms/. Security practitioners should review these for patch information and apply updates promptly to affected installations.

EU & UK References

Vulnerability details

The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to…

more

generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Direct auth bypass in public-facing WordPress plugin via weak OTP + unlimited attempts enables T1190 exploitation and T1110 brute-force guessing.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-10294Shared CWE-288
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288
CVE-2026-44575Shared CWE-288
CVE-2026-1779Shared CWE-288
CVE-2025-0316Shared CWE-288
CVE-2026-45109Shared CWE-288
CVE-2025-5397Shared CWE-288
CVE-2026-31271Shared CWE-288

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 enforces limits on unsuccessful logon attempts, directly mitigating the unlimited OTP submission guesses that enable authentication bypass.

prevent

IA-5 requires strong authenticator management, addressing the weak OTP values and exposure of the generation hash in the plugin.

prevent

SI-2 mandates timely flaw remediation, such as patching the vulnerable Orion Login with SMS plugin to fix the authentication bypass.

References