WordPress Plugin Vulnerabilities

Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification < 2.0.45 - Authentication Bypass to Account Takeover

Description

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.

Affects Plugins

Plugin icon
user-verification
Fixed in 2.0.45

References

CVE
CVE-2025-12374
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8ccb1304-326e-43af-b75d-23874f92ba8b

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
lucky_buddy
Verified
No
WPVDB ID
dd9da921-39fd-43b8-bdd6-9d923da26fe2

Timeline

Publicly Published
2025-12-04 (about 6 months ago)
Added
2025-12-04 (about 6 months ago)
Last Updated
2026-04-30 (about 1 month ago)

Other

Published
Title
Published
2024-10-10
Title
Pedalo Connector <= 2.0.5 - Authentication Bypass to Administrator
Published
2024-06-03
Title
Social Login Lite For WooCommerce <= 1.6.0 - Authentication Bypass
Published
2025-12-12
Title
Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure
Published
2019-09-26
Title
GiveWp < 2.5.5 - Authentication Bypass
Published
2015-02-02
Title
Revive Old Post < 6.9.4 - Privilege Escalation