CVE-2025-7692
Published: 22 July 2025
Summary
CVE-2025-7692 is a high-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-7692 is an authentication bypass vulnerability in the Orion Login with SMS plugin for WordPress, affecting all versions up to and including 1.0.5. The flaw arises in the olws_handle_verify_phone() function, which relies on a weak one-time password (OTP) value, exposes the hash needed to generate the OTP, and enforces no limits on the number of code submission attempts. This CWE-288 issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential for high confidentiality, integrity, and availability impacts over the network.
Unauthenticated attackers can exploit the vulnerability if they obtain a target user's phone number. By leveraging the exposed hash and unlimited guesses against the predictable OTP, they can impersonate any user, including administrators, gaining unauthorized access to the WordPress site without valid credentials.
Advisories detailing the vulnerability and mitigation are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/31a47cbd-c19b-4ac3-87ed-2d4c5c0e9cb7?source=cve and the plugin's WordPress page at https://wordpress.org/plugins/orion-login-with-sms/. Security practitioners should review these for patch information and apply updates promptly to affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22303
Vulnerability details
The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to…
more
generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct auth bypass in public-facing WordPress plugin via weak OTP + unlimited attempts enables T1190 exploitation and T1110 brute-force guessing.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-7 enforces limits on unsuccessful logon attempts, directly mitigating the unlimited OTP submission guesses that enable authentication bypass.
IA-5 requires strong authenticator management, addressing the weak OTP values and exposure of the generation hash in the plugin.
SI-2 mandates timely flaw remediation, such as patching the vulnerable Orion Login with SMS plugin to fix the authentication bypass.