CVE-2026-14245

cyberlord92 · miniOrange OTP Login, Verification and SMS Notifications

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to an authentication bypass that allows unauthenticated attackers to hijack administrator accounts.

Executive summary

An unauthenticated authentication bypass vulnerability in the miniOrange OTP plugin allows attackers to perform a full administrator account takeover.

Vulnerability

The vulnerability exists in the um_reset_password_process_hook() function, which fails to verify if the OTP validation process was completed. Unauthenticated attackers can manipulate the username_b parameter to generate a password-reset URL for any user, including administrators, without requiring a valid OTP session.

Business impact

Successful exploitation of this vulnerability grants an attacker full administrative access to the affected WordPress installation. This leads to complete compromise of site data, the ability to inject malicious code or redirects, and potential full system takeover, posing a severe threat to business operations and data integrity. The CVSS score of 9.8 reflects the critical nature of this unauthenticated remote exploit.

Remediation

Immediate Action: Update the miniOrange OTP Login, Verification and SMS Notifications plugin to the latest available version immediately.

Proactive Monitoring: Review WordPress user management logs for unexpected password reset requests or unauthorized account modifications.

Compensating Controls: Ensure the Ultimate Member Password Reset Form integration is disabled if not strictly required, and consider implementing rate-limiting on password reset forms via a Web Application Firewall (WAF).

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability is critical due to the ease with which an unauthenticated attacker can gain administrative control. Administrators must prioritize updating the plugin to the latest version to close this security gap. Failure to act leaves the site highly susceptible to complete compromise.