CVE-2025-1475
WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
We have discovered 139 live websites that are affected by CVE-2025-1475.
Affected Software
| Product |  Wpcom Member |
| Category | Wordpress Plugins |
| Vulnerable Domains | 139 live websites (32% of Wpcom Member install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 26 versions ( 70% of all versions) |
Common Weakness Enumeration
CWE-287 Improper AuthenticationDetails
- Published - Mar 7, 2025
- Updated - Mar 7, 2025
Credits
- wesley (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-1475 United States | 18 websites |
 China | 92 websites |
 Hong Kong | 8 websites |
 Singapore | 8 websites |
 Germany | 1 websites |
 France | 1 websites |
 Japan | 1 websites |
 Macau | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-1475| .com | 111 websites |
| .cn | 12 websites |
| .net | 8 websites |
| .com.cn | 5 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-1475
Top websites that are affected by CVE-2025-1475. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.com | China | ***,*** | |
| *******.com | United States | ***,*** | |
| *****.com | United States | ***,*** | |
| *******.com | China | ***,*** | |
| ************.com | China | *,***,*** | |
| **********.com | China | *,***,*** | |
| *****.cn | China | *,***,*** | |
| *******.com | China | *,***,*** | |
| *************.com | China | *,***,*** | |
| *******.com | China | *,***,*** |
FAQ
CVE-2025-1475 is Improper Authentication in Wpcom Member
A total of 139 websites have been identified as vulnerable to CVE-2025-1475, based on global website indexing conducted by WebTechSurvey.
The Wpcom Member is affected by the CVE-2025-1475 vulnerability.
Wpcom Member versions up to and including 1.7.5 are vulnerable to CVE-2025-1475.