Perceptive Security
SOC/SIEM Consultancy
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to …
Published:
28 May 2026 at 22:00:00
Alert date:
29 May 2026 at 09:01:28
Source:
nvd.nist.gov
Web Technologies, Identity & Access
The OTP Login With Phone Number plugin for WordPress contains an authentication bypass vulnerability in versions 1.8.50 through 1.8.60. The flaw exists in the Firebase verification flow where the lwp_ajax_register AJAX handler fails to properly bind Firebase sessions to phone numbers. The idehweb_lwp_activate_through_firebase() function validates Firebase OTP sessions but never compares the returned phoneNumber against the victim's stored phone number. This allows unauthenticated attackers to authenticate as any user with a stored phone number, including administrators, by verifying their own Firebase session while supplying the victim's phone number in the request.
Technical details
Mitigation steps:
Affected products:
WordPress OTP Login With Phone Number Plugin
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-3655
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L1167
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L649
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L659
https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/inc/ajax-handlers.php#L649
https://plugins.trac.wordpress.org/changeset/3479314/login-with-phone-number/trunk/inc/ajax-handlers.php?old=3455810&old_path=login-with-phone-number%2Ftrunk%2Finc%2Fajax-handlers.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/7fc410f2-5f2b-4eea-a0fb-fe58f988f95f?source=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.