The OTP Login With Phone Number plugin for WordPress contains an authentication bypass vulnerability in versions 1.8.50 through 1.8.60. The vulnerability exists in the Firebase verification flow where the AJAX handler fails to bind Firebase sessions to the supplied phone number. The idehweb_lwp_activate_through_firebase() function validates Firebase OTP sessions but never compares the Firebase-returned phone number against the victim's stored phone number. This allows unauthenticated attackers to authenticate as any user with a stored phone number by verifying their own Firebase session while supplying the victim's phone number in the request. The vulnerability affects all user accounts including administrators, making it particularly critical for WordPress sites using this plugin.