A critical authentication bypass vulnerability has been identified in a popular WordPress plugin, The Email Multiple Products. This flaw allows an unauthenticated attacker to gain complete administrative control over a website by logging in as any user, simply by submitting an empty One-Time Password (OTP). Successful exploitation could lead to a full site compromise, data theft, and significant reputational damage.

The vulnerability exists within the user_verification_form_wrap_process_otpLogin function of the WordPress plugin. The function improperly handles the OTP verification process by failing to first check if an OTP was legitimately generated for the user. An attacker can exploit this by initiating a login for a known user (e.g., an administrator) and submitting a blank or empty value in the OTP field. Because the system does not validate against a generated code, it incorrectly accepts the empty value as a match, granting the attacker a fully authenticated session as the targeted user.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a direct and immediate threat to the organization. An attacker gaining administrator-level access can result in a complete compromise of the affected WordPress site. Potential consequences include theft of sensitive customer or user data, website defacement, injection of malware or ransomware, using the site for phishing campaigns, and potentially pivoting to attack other internal network resources. Such an incident could lead to severe financial loss, regulatory fines, loss of customer trust, and lasting reputational harm.

Immediate Action: Immediately update The Email Multiple Products plugin to the latest patched version provided by the vendor. After patching, it is crucial to review all administrator-level accounts for any unauthorized changes or suspicious activity. Review server access logs for indicators of compromise that may have occurred prior to applying the patch.

Proactive Monitoring: Implement enhanced logging and monitoring focused on WordPress authentication events. Specifically, search for successful login attempts where the OTP value is empty, null, or missing from the request logs. Monitor for an unusual volume of login attempts from single IP addresses and look for successful logins from unexpected geographic locations.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Temporarily disable the plugin until it can be safely updated.
• If disabling the entire plugin is not possible, disable the OTP or passwordless login feature specifically.
• Deploy a Web Application Firewall (WAF) with a virtual patch rule to block login requests to the affected function that contain an empty OTP parameter.
• Restrict access to the WordPress login and admin pages (/wp-login.php and /wp-admin/) to trusted IP addresses only.

Public Exploit Available: False (as of the date of this report)

Given the critical CVSS score of 9.8 and the ease of exploitation, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patch to all affected websites without delay. Although this CVE is not currently listed on the CISA KEV list, its severity warrants treating it with the highest priority, as if it were. After patching, a thorough security review of user accounts and site integrity is strongly advised to detect and remediate any potential pre-existing compromise.