Description
The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number
Published: 2025-10-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation because it does not verify that a request to reset a password is authorized, and it is identified as a CWE-288 authentication bypass flaw. Unauthenticated users who know a target’s phone number can invoke the plugin’s reset-password endpoint and set that user’s password to a one‑time‑password value, effectively taking over the account. This grants full access to any content or admin functions tied to the compromised user, enabling further exploitation.

Affected Systems

All installations of the Orion SMS OTP Verification plugin version 1.1.7 and earlier are affected. No other vendors or products are listed. Any WordPress site that relies on these plugin versions for phone‑based authentication is at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, the EPSS score of < 1% suggests a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the plugin’s logic bypasses authentication entirely and only requires knowledge of a phone number, the exploit path is simple and could be executed by an unauthenticated attacker with minimal information. The ability to assume any user account presents a high risk to site integrity and confidentiality.

Generated by OpenCVE AI on April 20, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Orion SMS OTP Verification plugin to the latest available version that contains the fix for the privilege‑escalation flaw.
  • Disable or restrict access to the reset-password.js endpoint so that unauthenticated requests cannot trigger a password change; this can be done via web‑server rules or by removing the file from the installation if the functionality is not needed.
  • Add an additional layer of verification for password changes, such as requiring the current password or a multi‑factor confirmation before allowing the reset, to prevent unauthorized account takeover.

Generated by OpenCVE AI on April 20, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Tue, 21 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gsayed786
Gsayed786 orion Sms Otp Verification
Wordpress
Wordpress wordpress
Vendors & Products Gsayed786
Gsayed786 orion Sms Otp Verification
Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number
Title Orion SMS OTP Verification <= 1.1.7 - Authentication Bypass via Account Takeover
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Gsayed786 Orion Sms Otp Verification
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:09.049Z

Reserved: 2025-09-03T23:15:21.262Z

Link: CVE-2025-9967

cve-icon Vulnrichment

Updated: 2025-10-15T13:23:43.156Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T09:15:43.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9967

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses