Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote, unauthenticated, low-complexity bypass yields full admin takeover, so AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H; scope unchanged as impact stays within the WordPress application.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.
Articles & Coverage 1
AnalysisAI
Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress/WooCommerce site must have the Happy Coders OTP Login for WooCommerce plugin (version 1.5-2.7) installed and active with its OTP login endpoint reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and must be weighed together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted request to the plugin's OTP login endpoint supplying the identifier of a known administrator account (or a guessed admin email/username) and skipping or forging the OTP-validation step. Because the plugin never confirms the OTP was validated, it issues an authenticated administrator session, granting full control of the WooCommerce store. … |
| Remediation | Vendor-released patch: version 2.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all WordPress installations using Happy Coders OTP Login for WooCommerce versions 1.5 through 2.7 and restrict WordPress admin access to trusted IP ranges; prepare a patching plan. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44873
GHSA-33cg-9r8g-hqm4