A critical authentication bypass flaw in the WordPress OTP Login plugin allows unauthenticated attackers to gain administrative access to sites by hijacking legitimate Firebase sessions.

The vulnerability exists in the lwp_ajax_register AJAX handler, where the Firebase session is not correctly bound to the user's phone number. An unauthenticated attacker can verify their own Firebase session but supply a victim's phone number in the request, causing the application to incorrectly authenticate the attacker as that user.

The CVSS score of 9.8 reflects the high risk of account takeover. If an attacker targets an administrator's account, they can gain full control over the WordPress site, leading to complete data loss, site defacement, or the injection of malicious code into the site's front end.

Immediate Action: Immediately update the "OTP Login With Phone Number, OTP Verification" plugin to the latest available version provided by the vendor.

Proactive Monitoring: Review WordPress user account logs for suspicious logins, particularly those involving administrative accounts, and monitor for unauthorized changes to user metadata.

Compensating Controls: Temporarily disable the plugin if an update is not immediately available, or implement a secondary authentication factor (MFA) that is not tied to the vulnerable OTP verification flow.

Public Exploit Available: false

Given that this vulnerability allows for trivial account takeover including administrative accounts, organizations should treat this update as a high priority. Ensure all WordPress sites utilizing this plugin are updated immediately to mitigate the risk of unauthorized access.