Perceptive Security
SOC/SIEM Consultancy
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for C…
Published:
26 May 2026 at 22:00:00
Alert date:
27 May 2026 at 15:06:57
Source:
nvd.nist.gov
Web Technologies, Identity & Access
The Login with OTP plugin for WordPress versions up to 1.6 contains an authentication bypass vulnerability. This is due to an incomplete fix for CVE-2024-11178 where rate-limiting checks are only applied to OTP generation, not validation. The 6-digit OTP has no expiration, allowing attackers to brute-force the 900,000-value OTP space. Successful exploitation grants attackers valid authentication cookies for any user account, including administrators, leading to full site compromise.
Technical details
Mitigation steps:
Affected products:
WordPress Login with OTP plugin
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-8760
https://nvd.nist.gov/vuln/detail/CVE-2024-11178
https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L361
https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L419
https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L424
https://plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.php#L427
https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L361
https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L419
https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L424
https://plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.php#L427
https://www.wordfence.com/threat-intel/vulnerabilities/id/ad22cb24-e6a0-456f-afe8-88a39acd97d3?source=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.