CVE-2025-12374: WordPress User Verification Auth Bypass

CVE-2025-12374 Overview

CVE-2025-12374 is an authentication bypass vulnerability affecting the Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress. The vulnerability exists in all versions up to and including 2.0.39 and allows unauthenticated attackers to bypass authentication mechanisms by exploiting improper OTP validation logic.

Critical Impact

Unauthenticated attackers can log in as any user with a verified email address, including administrators, by submitting an empty OTP value, potentially leading to complete site compromise.

Affected Products

• WordPress User Verification plugin versions up to and including 2.0.39
• WordPress installations using OTP-based passwordless login functionality
• Sites utilizing the Magic Login feature of the affected plugin

Discovery Timeline

• 2025-12-05 - CVE-2025-12374 published to NVD
• 2025-12-08 - Last updated in NVD database

Technical Details for CVE-2025-12374

Vulnerability Analysis

This authentication bypass vulnerability (CWE-287) stems from a critical flaw in the OTP validation logic within the user_verification_form_wrap_process_otpLogin function. The plugin fails to verify whether an OTP was actually generated for a user session before comparing the submitted OTP value against the stored value. This logic error creates a scenario where an attacker can successfully authenticate without possessing a valid OTP.

When an OTP has not been generated for a target user, the stored OTP value is effectively null or empty. By submitting an empty OTP value in the authentication request, the comparison succeeds because the plugin compares an empty input against a non-existent (empty) stored value. This fundamental flaw in the authentication flow allows attackers to circumvent the intended security mechanism entirely.

Root Cause

The root cause lies in the absence of a prerequisite check in the user_verification_form_wrap_process_otpLogin function. The vulnerable code at line 141 of hook.php proceeds directly to OTP comparison without first validating that an OTP was generated and is pending verification for the user session. This missing validation step allows the comparison to succeed with empty values on both sides.

Attack Vector

The attack can be executed remotely over the network without any prior authentication or user interaction. An attacker targeting a WordPress site with the vulnerable plugin installed can craft a malicious authentication request to the OTP login endpoint. By identifying a valid username with a verified email address (such as an administrator account) and submitting an authentication request with an empty OTP field, the attacker can gain unauthorized access to that account.

The attack is particularly dangerous because it requires no special privileges, no user interaction, and can be executed with minimal complexity. An attacker simply needs to know or enumerate a valid username on the target WordPress installation.

Detection Methods for CVE-2025-12374

Indicators of Compromise

• Unexpected administrative login events without corresponding OTP generation in logs
• Authentication requests to OTP login endpoints with empty or null OTP parameter values
• User account access from unusual IP addresses or geolocations without legitimate OTP verification
• Audit log entries showing successful OTP logins where no OTP was requested by the legitimate user

Detection Strategies

• Monitor WordPress authentication logs for OTP login events that lack corresponding OTP request entries
• Implement web application firewall (WAF) rules to flag authentication requests with empty OTP parameters
• Review user session activity for administrator accounts to identify unauthorized access patterns
• Enable and monitor plugin-specific logging to track OTP generation versus OTP verification events

Monitoring Recommendations

• Configure real-time alerting for administrative account logins outside of normal business hours
• Implement anomaly detection for authentication patterns, particularly focusing on OTP-based login attempts
• Monitor for multiple failed login attempts followed by successful OTP bypass attempts from the same source
• Track changes to WordPress user roles and capabilities that may indicate post-exploitation privilege escalation

How to Mitigate CVE-2025-12374

Immediate Actions Required

• Update the WordPress User Verification plugin to a version newer than 2.0.39 immediately
• Audit all WordPress user accounts, especially administrator accounts, for unauthorized access or changes
• Review WordPress audit logs for suspicious authentication events that may indicate exploitation
• Consider temporarily disabling OTP-based passwordless login until the patch is applied

Patch Information

Organizations should update the Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin to the latest available version that addresses this authentication bypass vulnerability. The fix should include proper validation to ensure an OTP was generated before any comparison is performed. Refer to the Wordfence Vulnerability Overview for the latest patch information and affected version details.

Workarounds

• Disable the OTP-based passwordless login feature until the plugin is updated
• Implement additional authentication controls such as IP allowlisting for administrative access
• Use a web application firewall (WAF) to block requests with empty OTP parameters to the login endpoint
• Enable two-factor authentication through an alternative, unaffected plugin for critical accounts

# Workaround: Disable the vulnerable plugin via WP-CLI until patched
wp plugin deactivate user-verification

# Alternative: Rename the plugin directory to disable it
mv wp-content/plugins/user-verification wp-content/plugins/user-verification.disabled

# Verify the plugin is deactivated
wp plugin list | grep user-verification