CVE-2025-7955

The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user simply by supplying identical bogus codes.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/rccp-free/tags/1.6.8/ringcentral.php
https://plugins.trac.wordpress.org/changeset/3349361/
https://wordpress.org/plugins/rccp-free/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/0386ed09-296d-4f33-9fe0-964c0c0a9652?source=cve

Configurations

No configuration.

History

29 Aug 2025, 16:24

Type	Values Removed	Values Added
Summary		(es) El complemento RingCentral Communications para WordPress es vulnerable a la omisión de autenticación debido a una validación incorrecta en la función ringcentral_admin_login_2fa_verify() en las versiones 1.5 a 1.6.8. Esto permite que atacantes no autenticados inicien sesión como cualquier usuario simplemente proporcionando códigos falsos idénticos.

28 Aug 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-28 06:15

Updated : 2025-08-29 16:24

NVD link : CVE-2025-7955

Mitre link : CVE-2025-7955

CVE.ORG link : CVE-2025-7955

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

9.8 /10