CRITICAL🇵🇱 Wersja polska

CVE-2026-8760

CVSS 9.8v3.1pub. 2026-05-27

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.

🤖 AI Analysis
How it works

The mechanism limiting the number of attempts (rate-limit/lockout) was added only in the branch responsible for OTP code generation in the `otpl_login_action()` function, while it is never checked in the OTP code validation branch. Additionally, the generated 6-digit OTP code has no expiration time, leaving a space of 900,000 possible values open to unlimited guessing attempts. An unauthenticated attacker can fully automate a brute-force attack on the OTP code of any user account, including the administrator. After guessing the correct code, the plugin calls `wp_set_auth_cookie()`, granting the attacker a valid authenticated session.

Impact

An attacker without any privileges can take over any WordPress user account, including the administrator account, gaining full control over the website, its data, and infrastructure.

Mitigation & patch

Patches available from the vendor should be applied according to the references — update the Login with OTP plugin to a version higher than 1.6, in which the rate-limiting fix also covers the OTP validation branch and OTP code expiration was introduced.

Who is affected

Login with OTP plugin for WordPress in all versions up to and including 1.6.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References