Description
The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.
Published: 2026-07-16
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Jul 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.
Title Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-07-16T06:00:03.419Z

Reserved: 2026-06-17T08:25:07.733Z

Link: CVE-2026-12492

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses

No weakness.