CVE-2025-9967
Published: 15 October 2025
Summary
CVE-2025-9967 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates verifying user identity prior to distributing or changing authenticators like passwords, directly countering the plugin's failure to validate identity before password updates.
AC-3 enforces approved access authorizations, preventing unauthenticated attackers from accessing password update functions even with knowledge of a phone number.
AC-2 requires secure account management processes including identity verification for modifications like password changes to block unauthorized account takeovers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exploitation of a public-facing WordPress plugin vulnerability (T1190) enables account takeover and privilege escalation (T1068) via flawed password reset validation.
NVD Description
The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their…
more
password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number
Deeper analysisAI
CVE-2025-9967 is a privilege escalation vulnerability via account takeover in the Orion SMS OTP Verification plugin for WordPress, affecting all versions up to and including 1.1.7. The issue stems from the plugin failing to properly validate a user's identity before updating their password, allowing unauthorized password changes. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The vulnerability was published on 2025-10-15.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. If an attacker knows a target user's phone number, they can reset that user's password to a one-time password (OTP), enabling full account takeover and potential privilege escalation to administrative levels depending on the victim's role.
Advisories and related resources, including the Wordfence threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/b121fdb4-93a8-400c-89c2-3195cb40e03c?source=cve), plugin changelog (https://plugins.trac.wordpress.org/log/orion-sms-otp-verification/), and reset-password.js source code (https://plugins.trac.wordpress.org/browser/orion-sms-otp-verification/trunk/vendor/js/reset-password.js), provide further details on the flaw for mitigation planning, such as updating to a patched version if available.
Details
- CWE(s)