Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to otpl_login_action() was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid wp_set_auth_cookie() session, leading to full site compromise.
AnalysisAI
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Technical ContextAI
The plugin replaces or augments WordPress login with a one-time password sent to the user. The vulnerable logic lives in the otpl_login_action() handler (see the referenced WordPress.org Trac source for tag 1.6 and trunk, otpl-class.php lines 361/419/424/427). The previous fix for CVE-2024-11178 introduced a rate-limit/lockout counter, but it was placed inside the branch that generates and sends a new OTP rather than the branch that verifies a submitted OTP. Because verification is never gated by the lockout, an attacker can submit unlimited validation attempts. This maps to CWE-307 (Improper Restriction of Excessive Authentication Attempts) - the root cause class where an authentication mechanism fails to throttle or lock out repeated guesses. A second design weakness compounds it: the generated 6-digit OTP has no expiration, so the target value stays valid indefinitely, removing any time pressure on the brute-force loop. A successful guess causes the plugin to call wp_set_auth_cookie(), minting a fully authenticated session for the chosen account.
RemediationAI
No vendor-released patch version is identified in the available data - the description states all versions through 1.6 are vulnerable and no fixed release number is provided - so monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/ad22cb24-e6a0-456f-afe8-88a39acd97d3?source=cve) and the plugin's WordPress.org page and upgrade to the first version that explicitly remediates CVE-2026-8760 as soon as it is published. Until a fix is confirmed, the most effective compensating control is to deactivate the Login with OTP plugin, which removes the vulnerable OTP login path entirely but disables OTP-based authentication for all users; if OTP cannot be removed, restrict access to the login endpoint (wp-login.php and the plugin's OTP-validation request) using a WAF or server-level IP allowlisting and add aggressive rate-limiting/lockout rules at the WAF to externally enforce the throttling the plugin omits - note this can block legitimate users behind shared NAT/proxies and does not fix the missing OTP expiration. As a defense for high-value accounts, rotate administrator credentials and audit for unexpected sessions or new admin users created during the exposure window.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32084
GHSA-cq2x-2xjr-vm5v