प्लेटफ़ॉर्म
wordpress
घटक
wpcom-member
में ठीक किया गया
1.7.6
CVE-2025-1475 is an authentication bypass vulnerability affecting the WPCOM Member plugin for WordPress. This flaw allows unauthenticated attackers to gain access to user accounts, potentially including administrator privileges, if SMS login is enabled. The vulnerability impacts versions 0.0.0 through 1.7.5. A fix is available in a subsequent version (check vendor advisory).
The impact of this vulnerability is severe. An attacker can leverage it to completely compromise a WordPress site by logging in as any user. This grants them full control over the site's content, configuration, and potentially its database. They could modify data, install malicious plugins, redirect users to phishing sites, or even use the compromised site as a launchpad for further attacks. The ability to impersonate an administrator significantly expands the attack surface and potential damage.
This vulnerability was publicly disclosed on 2025-03-07. The CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept code is likely to emerge, increasing the risk. Monitor security advisories and threat intelligence feeds for reports of active exploitation campaigns targeting vulnerable WordPress sites.
WordPress sites utilizing the WPCOM Member plugin, particularly those with SMS login enabled, are at significant risk. Shared hosting environments where plugin updates are managed centrally are also vulnerable if they haven't applied the patch. Sites with legacy WordPress configurations or those lacking robust security monitoring are especially susceptible.
• wordpress / composer / npm:
grep -r 'user_phone' /var/www/html/wp-content/plugins/wpcom-member/• wordpress / composer / npm:
wp plugin list --status=all | grep wpcom-member• wordpress / composer / npm:
wp plugin update wpcom-member --alldisclosure
एक्सप्लॉइट स्थिति
EPSS
0.71% (72% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to upgrade the WPCOM Member plugin to a version containing the fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling SMS login functionality. Implement strict access controls and monitor user activity for suspicious logins. Review WordPress security plugins for potential detection rules related to unusual login attempts. After upgrade, verify the fix by attempting an SMS login with a non-administrator account and confirming access is denied.
प्रमाणीकरण बाईपास भेद्यता को ठीक करने के लिए WPCOM Member प्लगइन को नवीनतम उपलब्ध संस्करण में अपडेट करें। सुनिश्चित करें कि एसएमएस लॉग इन सही ढंग से कॉन्फ़िगर किया गया है और उपयोगकर्ता खातों की सुरक्षा के लिए अतिरिक्त सुरक्षा उपाय लागू किए गए हैं।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-1475 is a critical vulnerability in the WPCOM Member WordPress plugin allowing attackers to bypass authentication and log in as any user, including administrators, if SMS login is enabled.
If you are using the WPCOM Member plugin for WordPress in versions 0.0.0 through 1.7.5 and have SMS login enabled, you are likely affected by this vulnerability.
Upgrade the WPCOM Member plugin to a patched version. If upgrading is not immediately possible, disable SMS login as a temporary workaround.
While active exploitation is not yet confirmed, the CRITICAL severity and public disclosure suggest a high probability of exploitation. Monitor for suspicious activity.
Refer to the official WPCOM security advisory for details and updates regarding this vulnerability. Check the Automattic security blog for the latest information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।