WPCOM Member, CVE-2025-1475

CVE, Research URL: CVE-2025-1475
Home page URL: Security reports for WPCOM Member
Application: WPCOM Member
Published on: Mar 07, 2025
Research Description: The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
Affected versions: max 1.7.6.
Status: vulnerable