CVE-2025-12374CRITICAL 9.8EPSS p34.5%

CVE-2025-12374CVE-2025-12374

Description

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.5% · 2026-06-18T12:00:27Z
Published2025-12-05
Last modified2026-04-15

Underlying weaknesses· 1

CWE-287

References

  1. https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php#L141
  2. https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442150%40user-verification&new=3442150%40user-verification&sfp_email=&sfph_mail=
  3. https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b?source=cve

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7458
CVE
CVE-2025-3746
CVE
CVE-2025-3844
CVE
CVE-2025-8342
CVE
CVE-2025-7692
CVE
CVE-2025-9967
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.