Cybersecurity Vulnerabilities

Urgent: Critical Authentication Bypass in WordPress User Verification Plugin (CVE-2025-12374)

December 5, 2025 - By 

Overview

A critical vulnerability, identified as CVE-2025-12374, has been discovered in the “Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification” plugin for WordPress. This flaw allows unauthenticated attackers to bypass the login process and gain access to accounts, potentially including administrator accounts, without providing a valid One-Time Password (OTP).

Technical Details

The vulnerability resides in the user_verification_form_wrap_process_otpLogin function of the plugin. Versions up to and including 2.0.39 are affected. The core issue is the lack of proper validation to ensure that an OTP was actually generated before comparing it against user-submitted input. Specifically, the plugin doesn’t verify that an OTP exists for the user before proceeding with the login attempt.

By submitting an empty OTP value, an attacker can bypass the OTP verification process and successfully authenticate as any user with a verified email address. This exploit circumvents the intended security measures and grants unauthorized access to sensitive user accounts and functionalities within the WordPress site.

CVSS Analysis

  • CVE ID: CVE-2025-12374
  • Severity: CRITICAL
  • CVSS Score: 9.8

A CVSS score of 9.8 signifies a critical severity vulnerability. The exploit is easily achievable, requires no authentication, and poses a significant risk to affected WordPress installations.

Possible Impact

Successful exploitation of this vulnerability can lead to severe consequences, including:

  • Account Takeover: Attackers can gain complete control over user accounts, including administrator accounts.
  • Data Breach: Access to sensitive data stored within the WordPress site.
  • Website Defacement: Attackers can modify the website’s content.
  • Malware Injection: Introduction of malicious code into the website.
  • Complete System Compromise: In some cases, attackers might be able to leverage the compromised website to gain access to the underlying server.

Mitigation and Patch Steps

The most important step is to immediately update the “Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification” plugin to the latest available version. The updated version should include a fix for this vulnerability.

If an update is not yet available, consider temporarily disabling the plugin until a patch is released. Monitor the plugin developer’s website and WordPress.org for updates.

Additionally, review user accounts for any suspicious activity and consider implementing a web application firewall (WAF) to provide an additional layer of security.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *