Skip to main content

Login with OTP CVE-2026-8760

| EUVDEUVD-2026-32084 CRITICAL
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-27 security@wordfence.com GHSA-cq2x-2xjr-vm5v
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 27, 2026 - 19:44 vuln.today
CVE Published
May 27, 2026 - 07:16 nvd
CRITICAL 9.8

DescriptionCVE.org

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to otpl_login_action() was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid wp_set_auth_cookie() session, leading to full site compromise.

AnalysisAI

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthenticated attackers log in as any user, including administrators. The flaw is an incomplete fix for CVE-2024-11178: the brute-force lockout was added only to the OTP-generation code path and never checked when an OTP is validated, and the 6-digit codes never expire, so an attacker can exhaustively guess the ~900,000-value OTP space and receive a valid WordPress session cookie. CVSS is 9.8; this is rated unauthenticated (CVSS PR:N) with low attack complexity, but there is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Technical ContextAI

The plugin replaces or augments WordPress login with a one-time password sent to the user. The vulnerable logic lives in the otpl_login_action() handler (see the referenced WordPress.org Trac source for tag 1.6 and trunk, otpl-class.php lines 361/419/424/427). The previous fix for CVE-2024-11178 introduced a rate-limit/lockout counter, but it was placed inside the branch that generates and sends a new OTP rather than the branch that verifies a submitted OTP. Because verification is never gated by the lockout, an attacker can submit unlimited validation attempts. This maps to CWE-307 (Improper Restriction of Excessive Authentication Attempts) - the root cause class where an authentication mechanism fails to throttle or lock out repeated guesses. A second design weakness compounds it: the generated 6-digit OTP has no expiration, so the target value stays valid indefinitely, removing any time pressure on the brute-force loop. A successful guess causes the plugin to call wp_set_auth_cookie(), minting a fully authenticated session for the chosen account.

RemediationAI

No vendor-released patch version is identified in the available data - the description states all versions through 1.6 are vulnerable and no fixed release number is provided - so monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/ad22cb24-e6a0-456f-afe8-88a39acd97d3?source=cve) and the plugin's WordPress.org page and upgrade to the first version that explicitly remediates CVE-2026-8760 as soon as it is published. Until a fix is confirmed, the most effective compensating control is to deactivate the Login with OTP plugin, which removes the vulnerable OTP login path entirely but disables OTP-based authentication for all users; if OTP cannot be removed, restrict access to the login endpoint (wp-login.php and the plugin's OTP-validation request) using a WAF or server-level IP allowlisting and add aggressive rate-limiting/lockout rules at the WAF to externally enforce the throttling the plugin omits - note this can block legitimate users behind shared NAT/proxies and does not fix the missing OTP expiration. As a defense for high-value accounts, rotate administrator credentials and audit for unexpected sessions or new admin users created during the exposure window.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-8760 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy