← volver
CVE-2025-1475

WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'

CVSS 9.8 CRITICALEPSS 0.6%CWE-287
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
whyun · WPCOM Member

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110https://plugins.trac.wordpress.org/changeset/3248208/https://www.wordfence.com/threat-intel/vulnerabilities/id/05178bf3-3040-41aa-ba43-779376d30298?source=cve