The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to …

Published:

28 mei 2026 om 22:00:00

Alert date:

29 mei 2026 om 09:01:28

Source:

nvd.nist.gov

Web Technologies, Identity & Access

The OTP Login With Phone Number plugin for WordPress contains an authentication bypass vulnerability in versions 1.8.50 through 1.8.60. The flaw exists in the Firebase verification flow where the lwp_ajax_register AJAX handler fails to properly bind Firebase sessions to phone numbers. The idehweb_lwp_activate_through_firebase() function validates Firebase OTP sessions but never compares the returned phoneNumber against the victim's stored phone number. This allows unauthenticated attackers to authenticate as any user with a stored phone number, including administrators, by verifying their own Firebase session while supplying the victim's phone number in the request.

Technical details

Mitigation steps:

Affected products:

WordPress OTP Login With Phone Number Plugin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-3655
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L1167
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L649
https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L659
https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/inc/ajax-handlers.php#L649
https://plugins.trac.wordpress.org/changeset/3479314/login-with-phone-number/trunk/inc/ajax-handlers.php?old=3455810&old_path=login-with-phone-number%2Ftrunk%2Finc%2Fajax-handlers.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/7fc410f2-5f2b-4eea-a0fb-fe58f988f95f?source=cve

Related CVE's:

CVE-2026-3655

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.