Description
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.
Published: 2026-05-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Login with OTP plugin for WordPress contains a flaw in the OTP validation flow that bypasses the rate‑limit check introduced in a prior fix. Because the check is only applied when generating an OTP, every attempt to validate a user’s one‑time password is accepted as long as the code matches a 6‑digit value. The code is never limited in time or number of attempts, presenting 900,000 possibilities that an unauthenticated attacker can brute‑force. An attacker who succeeds can obtain a ‘wp_set_auth_cookie()’ session and gain the privileges of the targeted account, including administrators, thereby achieving full site compromise. This is an example of CWE‑307, enforcement of authentication bypass.

Affected Systems

The vulnerability affects the WordPress plugin Login with OTP, authored by india‑web‑developer. All released versions up to and including 1.6 are impacted. Adopting a plain‑text understanding, WordPress site administrators using role‑based access to the WordPress admin dashboard are the most likely target audience for this flaw.

Risk and Exploitability

The severity of this issue is high, with a CVSS score of 9.8. EPSS data is not available, although the lack of a rate limit and the possibility of automated brute‑force usage suggests a potentially high exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. Inference indicates that an attacker can exploit the flaw remotely by repeatedly calling the OTP validation endpoint over HTTP/HTTPS, attempting candidate codes until the correct one is found. Once accepted, the attacker receives a valid authentication cookie and can operate with the victim’s privileges.

Generated by OpenCVE AI on May 27, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest published version of the Login with OTP plugin that resolves the authentication bypass flaw.
  • If an update is not yet available, temporarily block access to the OTP endpoint or disable the OTP feature entirely while ensuring your site’s primary authentication remains active.
  • Introduce external rate limiting or CAPTCHA protection on the OTP endpoint, or enable comprehensive site‑wide brute‑force detection tools such as Wordfence or ModSecurity to mitigate rapid, automated credential guessing.

Generated by OpenCVE AI on May 27, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared India-web-developer
India-web-developer login With Otp
Wordpress
Wordpress wordpress
Vendors & Products India-web-developer
India-web-developer login With Otp
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.
Title Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

India-web-developer Login With Otp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:33:35.523Z

Reserved: 2026-05-16T18:34:47.484Z

Link: CVE-2026-8760

cve-icon Vulnrichment

Updated: 2026-05-27T10:33:31.000Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:14.927

Modified: 2026-05-27T07:16:14.927

Link: CVE-2026-8760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:03Z

Weaknesses