CVE-2025-12374

EPSS 0.43%
Veröffentlicht 05.12.2025 06:07:19
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.44 - Authentication Bypass to Account Takeover

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.

Mögliche Gegenmaßnahme

User Verification by PickPlugins: Update to version 2.0.45, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerpickplugins

≫

Produkt User Verification by PickPlugins

Default Statusunaffected

Version <= 2.0.44

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt User Verification by PickPlugins

Version *-2.0.44

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.344

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve

https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php#L141

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442150%40user-verification&new=3442150%40user-verification&sfp_email=&sfph_mail=

https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-12374

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-12374

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-12374

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-12374