CVE-2025-14002

Name of the Vulnerable Software and Affected Versions WPCOM Member plugin for WordPress versions prior to 1.7.17

Description The software is susceptible to authentication bypass through brute-force attacks. This is caused by a weak One-Time Password (OTP) generation process, utilizing only six numeric digits with a ten-minute validity period and lacking rate limiting on verification attempts. An attacker knowing a target’s phone number can potentially bypass authentication as any user, including administrators, if the target does not promptly notice or disregard the SMS notification containing the OTP.

Recommendations Update the WPCOM Member plugin to version 1.7.17 or later.