Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote, unauthenticated, single-request admin takeover using a public nonce with no role check justifies AV:N/AC:L/PR:N/UI:N and full C/I/A High; the config prerequisite is not a CVSS base metric.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the um_reset_password_process_hook() function performing no server-side verification that the OTP validation step was completed, and relying solely on a public form_nonce nonce that the plugin itself emits to unauthenticated visitors via the moumprvar JavaScript object on the Ultimate Member password reset page, while still accepting the attacker-controlled username_b parameter to target any WordPress user without role restriction or any binding to a previously validated OTP session. This makes it possible for unauthenticated attackers to obtain a freshly generated password-reset URL for an arbitrary Administrator account - returned in a 302 Location header - and use it to take full control of that account. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the plugin to not be configured for phone-only reset.
Articles & Coverage 1
AnalysisAI
Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Ultimate Member Password Reset Form integration be active AND that the plugin is NOT configured for phone-only reset - both stated explicitly in the CVE description. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical) is fully consistent with the description: remote, no authentication, no user interaction, resulting in complete account compromise, hence C/I/A all High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker loads the public Ultimate Member password-reset page, scrapes form_nonce from the moumprvar JavaScript object, and submits a reset request with username_b set to a known administrator login. The server responds with a 302 whose Location header contains a valid reset URL for that admin account; the attacker follows it, sets a new password, and logs in with full control. … |
| Remediation | Upgrade the plugin to the fixed release published after 5.5.1; an upstream fix is available (see the plugin repository changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3595061%40miniorange-otp-verification&new=3595061%40miniorange-otp-verification), but the exact patched version number was not included in the source data, so confirm the release via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d34f4e77-f384-4d84-be32-0d349962b614?source=cve before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations and confirm presence of miniOrange OTP plugin versions ≤5.5.1; assess which admin accounts exist and their access scope. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42543
GHSA-26hr-8h4j-gxx3