The WordPress "Login with OTP" plugin is vulnerable to authentication bypass via brute-forcing of the 6-digit OTP, which lacks expiration and rate-lim...
Description
The WordPress "Login with OTP" plugin is vulnerable to authentication bypass via brute-forcing of the 6-digit OTP, which lacks expiration and rate-limiting on the validation branch.
AI Analyst Comment
Remediation
Update WordPress is vulnerable to the latest version. Check vendor security advisory for specific patch details. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: WordPress
PRODUCT: Login with OTP
AFFECTED_VERSIONS: Up to and including 1.6
---END_METADATA---
Description Summary:
The WordPress "Login with OTP" plugin is vulnerable to authentication bypass via brute-forcing of the 6-digit OTP, which lacks expiration and rate-limiting on the validation branch.
Executive Summary:
An authentication bypass vulnerability in the WordPress Login with OTP plugin allows unauthenticated attackers to brute-force OTPs and hijack administrative accounts.
Vulnerability Details
CVE-ID: CVE-2026-8760
Affected Software: WordPress, Login with OTP plugin
Affected Versions: Up to and including 1.6
Vulnerability: The plugin fails to enforce rate-limiting or expiration on the OTP validation branch, despite an incomplete fix for a previous CVE. This design flaw allows an unauthenticated attacker to brute-force the 900,000-value OTP space and gain unauthorized access to any user account, including administrators.
Business Impact
The ability for an unauthenticated attacker to gain full administrative access to a WordPress site poses an existential risk. A CVSS score of 9.8 confirms the severity, as this flaw could lead to complete site takeover, malicious content injection, and total loss of site control.
Remediation Plan
Immediate Action: Update the "Login with OTP" plugin to the latest version or remove the plugin if a secure version is not available.
Proactive Monitoring: Review user login logs for multiple failed attempts followed by a successful login, which may indicate brute-force activity.
Compensating Controls: Implement an additional layer of authentication or disable the plugin until a permanent patch is confirmed and applied.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 27, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This flaw effectively nullifies the purpose of the OTP plugin. Administrators should immediately update the plugin. If updates are not immediately available, the plugin should be disabled to prevent account takeovers, as the current implementation offers no protection against determined attackers.