CVE-2025-7692

HIGH

Orion Login with SMS <1.0.5 - Auth Bypass

Title source: llm

Description

The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.

References (2)

[Product] https://wordpress.org/plugins/orion-login-with-sms/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/31a47cbd-c19b-4ac3-87ed-2d4c5c0e9cb7?source=cve

Scores

CVSS v3 8.1

EPSS 0.0020

EPSS Percentile 41.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-288

Status published

Products (1)

gsayed786/Orion Login with SMS < 1.0.5

Published Jul 22, 2025

Tracked Since Feb 18, 2026