Skip to main content

miniOrange OTP Login CVE-2026-14245

| EUVDEUVD-2026-42543 CRITICAL
Missing Authorization (CWE-862)
2026-07-09 Wordfence GHSA-26hr-8h4j-gxx3
9.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Remote, unauthenticated, single-request admin takeover using a public nonce with no role check justifies AV:N/AC:L/PR:N/UI:N and full C/I/A High; the config prerequisite is not a CVSS base metric.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:38 vuln.today
CVE Published
Jul 09, 2026 - 07:55 nvd
CRITICAL 9.8

DescriptionCVE.org

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the um_reset_password_process_hook() function performing no server-side verification that the OTP validation step was completed, and relying solely on a public form_nonce nonce that the plugin itself emits to unauthenticated visitors via the moumprvar JavaScript object on the Ultimate Member password reset page, while still accepting the attacker-controlled username_b parameter to target any WordPress user without role restriction or any binding to a previously validated OTP session. This makes it possible for unauthenticated attackers to obtain a freshly generated password-reset URL for an arbitrary Administrator account - returned in a 302 Location header - and use it to take full control of that account. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the plugin to not be configured for phone-only reset.

AnalysisAI

Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Load public UM reset page
Delivery
Scrape form_nonce from moumprvar JS
Exploit
POST reset with username_b=admin
Execution
Capture reset URL from 302 Location
Persist
Set new admin password
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Ultimate Member Password Reset Form integration be active AND that the plugin is NOT configured for phone-only reset - both stated explicitly in the CVE description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical) is fully consistent with the description: remote, no authentication, no user interaction, resulting in complete account compromise, hence C/I/A all High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker loads the public Ultimate Member password-reset page, scrapes form_nonce from the moumprvar JavaScript object, and submits a reset request with username_b set to a known administrator login. The server responds with a 302 whose Location header contains a valid reset URL for that admin account; the attacker follows it, sets a new password, and logs in with full control. …
Remediation Upgrade the plugin to the fixed release published after 5.5.1; an upstream fix is available (see the plugin repository changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3595061%40miniorange-otp-verification&new=3595061%40miniorange-otp-verification), but the exact patched version number was not included in the source data, so confirm the release via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/d34f4e77-f384-4d84-be32-0d349962b614?source=cve before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations and confirm presence of miniOrange OTP plugin versions ≤5.5.1; assess which admin accounts exist and their access scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy