An authentication bypass vulnerability in the WordPress Login with OTP plugin allows unauthenticated attackers to brute-force OTPs and hijack administrative accounts.

The plugin fails to enforce rate-limiting or expiration on the OTP validation branch, despite an incomplete fix for a previous CVE. This design flaw allows an unauthenticated attacker to brute-force the 900,000-value OTP space and gain unauthorized access to any user account, including administrators.

The ability for an unauthenticated attacker to gain full administrative access to a WordPress site poses an existential risk. A CVSS score of 9.8 confirms the severity, as this flaw could lead to complete site takeover, malicious content injection, and total loss of site control.

Immediate Action: Update the "Login with OTP" plugin to the latest version or remove the plugin if a secure version is not available.

Proactive Monitoring: Review user login logs for multiple failed attempts followed by a successful login, which may indicate brute-force activity.

Compensating Controls: Implement an additional layer of authentication or disable the plugin until a permanent patch is confirmed and applied.

Public Exploit Available: false

This flaw effectively nullifies the purpose of the OTP plugin. Administrators should immediately update the plugin. If updates are not immediately available, the plugin should be disabled to prevent account takeovers, as the current implementation offers no protection against determined attackers.