Platform
wordpress
Component
rccp-free
Fixed in
1.6.9
CVE-2025-7955 represents a critical Authentication Bypass vulnerability affecting the RingCentral Communications plugin for WordPress. This flaw allows unauthenticated attackers to gain unauthorized access to user accounts by bypassing the two-factor authentication (2FA) mechanism. The vulnerability impacts versions 1.5 through 1.6.8 of the plugin and requires immediate attention to prevent potential data breaches and system compromise. A patch is expected from the vendor.
The impact of CVE-2025-7955 is severe. An attacker exploiting this vulnerability can impersonate any user within the WordPress site, gaining full control over their account privileges. This could lead to unauthorized data access, modification, or deletion, as well as the potential for escalating privileges to compromise the entire WordPress installation. The lack of 2FA validation makes this bypass particularly easy to execute, significantly increasing the risk of successful attacks. The attacker could potentially steal sensitive information, modify website content, or even install malicious code.
CVE-2025-7955 was publicly disclosed on 2025-08-28. The vulnerability's ease of exploitation, combined with the plugin's popularity, suggests a potential for widespread exploitation. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be assessed as medium to high due to the critical severity and ease of exploitation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Exploit Status
EPSS
0.59% (69% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-7955 is to immediately upgrade the RingCentral Communications plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to prevent exploitation. As a short-term workaround, implement stricter access controls and monitor user activity for suspicious logins. Review WordPress user roles and permissions to limit the potential damage from a compromised account. After upgrading, verify the fix by attempting to log in with a test account and confirming that 2FA is properly enforced.
Actualice el plugin RingCentral Communications a una versión posterior a la 1.6.8. Esto solucionará la vulnerabilidad de omisión de autenticación. Si no puede actualizar, considere deshabilitar el plugin hasta que pueda realizar la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7955 is a critical vulnerability in the RingCentral Communications plugin for WordPress allowing attackers to bypass 2FA and log in as any user.
You are affected if you are using RingCentral Communications plugin for WordPress versions 1.5 through 1.6.8.
Upgrade the RingCentral Communications plugin to a patched version as soon as it's available. Temporarily disable the plugin until the patch is released.
While no public exploits are currently available, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the RingCentral website and WordPress plugin repository for official advisories and updates regarding CVE-2025-7955.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.