{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1475", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-19T16:29:36.050Z", "datePublished": "2025-03-07T06:40:02.364Z", "dateUpdated": "2026-04-08T16:33:18.719Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:18.719Z"}, "affected": [{"vendor": "whyun", "product": "WPCOM Member", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled."}], "title": "WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110"}, {"url": "https://plugins.trac.wordpress.org/changeset/3248208/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-287 Improper Authentication", "cweId": "CWE-287", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-03-06T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-07T16:10:35.554165Z", "id": "CVE-2025-1475", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T16:23:50.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1475", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-03-07T16:10:35.554165Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T16:21:39.344Z"}}], "cna": {"title": "WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "whyun", "product": "WPCOM Member", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.7.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-03-06T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110"}, {"url": "https://plugins.trac.wordpress.org/changeset/3248208/"}], "descriptions": [{"lang": "en", "value": "The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-03-07T06:40:02.364Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1475", "state": "PUBLISHED", "dateUpdated": "2025-03-07T16:23:50.830Z", "dateReserved": "2025-02-19T16:29:36.050Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-03-07T06:40:02.364Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled."}, {"lang": "es", "value": "El complemento WPCOM Member para WordPress es vulnerable a la omisi\u00f3n de la autenticaci\u00f3n en todas las versiones hasta la 1.7.5 incluida. Esto se debe a una verificaci\u00f3n insuficiente en el par\u00e1metro 'user_phone' al iniciar sesi\u00f3n. Esto hace posible que atacantes no autenticados inicien sesi\u00f3n como cualquier usuario existente en el sitio, como un administrador, si el inicio de sesi\u00f3n por SMS est\u00e1 habilitado."}], "id": "CVE-2025-1475", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-03-07T07:15:23.343", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3248208/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T03:30:41.553362+00:00", "value": {"mitigation_remediation": ["Upgrade the WPCOM Member plugin to the latest version, which removes the user_phone validation flaw.", "If the plugin cannot be upgraded immediately, disable SMS-based login or block the user_phone parameter until a patch is applied.", "Monitor login activity for unexpected authentication events and apply additional access controls such as role-based permissions to limit the impact of potential account takeover."], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the whyun WPCOM Member plugin version 1.7.5 or earlier are affected. All installations that have not updated beyond 1.7.5 and that have SMS login enabled are at risk.", "description_and_impact": "The WPCOM Member plugin for WordPress contains an authentication bypass flaw that stems from the plugin\u2019s failure to properly validate the 'user_phone' parameter during login. When an attacker supplies an arbitrary phone number, the plugin accepts it as a valid credential and authenticates the request as the user associated with that number. This allows an attacker to impersonate any registered account, including administrators, without needing a password. The weakness is an authentication failure (CWE\u2011287) and it provides the attacker with full access to the site\u2019s content, files, and potentially sensitive data.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 9.8, classifying it as critical. The EPSS score of less than 1% suggests that, in the current window, the probability of exploitation is low, and it is not listed in the CISA KEV catalog. Nonetheless, the attack vector is straightforward: a remote authenticated request to the login endpoint with a crafted 'user_phone' value. An attacker only needs network access to the site and the ability to send HTTP requests. Should the service allow SMS login, the attacker can simply supply any phone number that belongs to a registered user to gain full access."}}}}, "created": "2026-04-28T03:45:20.276690+00:00", "updated": "2026-04-28T03:45:20.276713+00:00", "vendors": []}