CVE-2026-8760

CRITICAL

Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force

Title source: cna

Description

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.

References (10)

Core 10

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/ad22cb24-e6a0-456f-afe8-88a39acd97d3?source=cve

https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L419

https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L419

https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L424

https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L424

https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L427

https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L427

https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L361

https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L361

https://nvd.nist.gov/vuln/detail/CVE-2024-11178

Scores

CVSS v3 9.8

EPSS 0.0060

EPSS Percentile 43.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-307

Status published

Products (1)

india-web-developer/Login with OTP <= 1.6

Published May 27, 2026

Tracked Since May 27, 2026