A high-severity authentication bypass vulnerability has been identified in the WPCOM Member plugin for WordPress. This flaw allows an unauthenticated attacker to gain unauthorized access to user accounts, including those with administrative privileges, by using automated brute-force techniques. Successful exploitation could lead to a full site compromise, resulting in data theft, website defacement, or malware distribution.

The WPCOM Member plugin lacks sufficient rate-limiting or account lockout mechanisms on its authentication endpoint. An unauthenticated remote attacker can exploit this by repeatedly attempting to guess user passwords using automated tools (a brute-force attack). Because there is no mechanism to block or slow down these attempts, the attacker can try millions of password combinations in a short period, eventually guessing a valid password and gaining access to the corresponding user's account.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit could have significant negative consequences for the business. An attacker gaining administrative access to a WordPress site can steal sensitive user data, intellectual property, or customer information, leading to regulatory fines and reputational damage. The attacker could also deface the website, inject malicious code to attack site visitors, or use the compromised server as a pivot point for further attacks on the internal network, disrupting business operations and eroding customer trust.

Immediate Action:

• Immediately update the WPCOM Member plugin to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, the recommended course of action is to disable and completely remove it to eliminate this attack surface.
• Review all user accounts, especially administrative accounts, for any signs of unauthorized access or creation.

Proactive Monitoring:

• Monitor web server and security plugin logs for an abnormally high number of failed login attempts originating from a single or small set of IP addresses.
• Implement alerts for the creation of new administrative-level accounts or unauthorized privilege escalation of existing accounts.
• Analyze network traffic for patterns indicative of automated scanning or brute-force tools targeting the site's login pages.

Compensating Controls:

• If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block brute-force login attempts.
• Enforce Multi-Factor Authentication (MFA) for all users, particularly for administrative and editor roles. This ensures that a compromised password alone is not sufficient to gain access.
• Restrict access to the WordPress login page (e.g., /wp-login.php, /wp-admin/) to trusted IP addresses using web server configurations or .htaccess rules.

Public Exploit Available: true

Given the high CVSS score of 8.1 and the simplicity of exploitation, this vulnerability poses a significant and immediate risk to all organizations using the affected WPCOM Member plugin. We strongly recommend that administrators take immediate action to apply the vendor-supplied patch or remove the plugin entirely. Although this CVE is not currently listed on the CISA KEV catalog, its high impact and the likelihood of widespread exploitation make it a critical vulnerability that must be remediated without delay.