Plateforme
wordpress
Composant
user-verification
Corrigé dans
2.0.45
2.0.45
CVE-2025-12374 describes a critical authentication bypass vulnerability affecting the User Verification by PickPlugins plugin for WordPress. An attacker can exploit this flaw to gain unauthorized access to user accounts, potentially including administrator accounts, by submitting an empty OTP value. This vulnerability impacts versions of the plugin up to and including 2.0.44. A patch has been released in version 2.0.45.
This authentication bypass vulnerability allows unauthenticated attackers to impersonate any user with a verified email address. Successful exploitation grants the attacker full access to the victim's account, enabling them to perform actions on behalf of that user. This includes accessing sensitive data, modifying user profiles, and potentially gaining administrative privileges if the targeted account has elevated permissions. The impact is particularly severe as it allows for complete account takeover without any prior authentication. The lack of OTP validation represents a fundamental flaw in the plugin's login process, making it a high-priority security concern.
CVE-2025-12374 was publicly disclosed on December 4, 2025. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's severity (CVSS 9.8) indicates a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog. Active campaigns exploiting this vulnerability are not currently confirmed, but the ease of exploitation suggests potential for future targeting.
WordPress websites utilizing the User Verification by PickPlugins plugin, particularly those with administrator accounts using email verification or passwordless login features, are at significant risk. Shared hosting environments where multiple websites share the same server infrastructure are also vulnerable, as a compromise of one site could potentially lead to lateral movement to others.
• wordpress / composer / npm:
grep -r "user_verification_form_wrap_process_otpLogin" /var/www/html/wp-content/plugins/user-verification-by-pickplugins/• wordpress / composer / npm:
wp plugin list --status=active | grep user-verification-by-pickplugins• wordpress / composer / npm:
wp plugin version user-verification-by-pickplugins• generic web: Check WordPress access logs for requests to the plugin's login endpoints with empty OTP parameters.
disclosure
Statut de l'Exploit
EPSS
0.45% (percentile 63%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-12374 is to immediately upgrade the User Verification by PickPlugins plugin to version 2.0.45 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin's OTP login functionality. While not a complete solution, this reduces the attack surface. Review WordPress access logs for suspicious login attempts, particularly those involving empty OTP values. Implement a Web Application Firewall (WAF) rule to block requests with empty OTP parameters to the plugin's login endpoints. After upgrading, confirm the fix by attempting to log in with an empty OTP value; the login should be rejected.
Update to version 2.0.45, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-12374 is a critical authentication bypass vulnerability in the User Verification by PickPlugins WordPress plugin, allowing attackers to log in as any verified user.
You are affected if you are using User Verification by PickPlugins version 2.0.44 or earlier. Upgrade to 2.0.45 to resolve the issue.
Upgrade the User Verification by PickPlugins plugin to version 2.0.45 or later. Temporarily disable OTP login as a workaround if immediate upgrade is not possible.
Active exploitation is not currently confirmed, but the vulnerability's severity suggests a potential for future targeting.
Refer to the PickPlugins website and WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.