Skip to main content

Miniorange Otp Login Verification And Sms Notifications

1 CVEs product

Monthly

CVE-2026-14245 CRITICAL Act Now

Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. No public exploit identified at time of analysis, but the flaw is trivially scriptable and carries a critical 9.8 CVSS score.

Authentication Bypass WordPress Miniorange Otp Login Verification And Sms Notifications
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
EPSS 1% CVSS 9.8
CRITICAL Act Now

Authentication bypass in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1) lets unauthenticated attackers take over any Administrator account. Because um_reset_password_process_hook() never verifies server-side that the OTP step was completed and trusts a form_nonce that the plugin itself hands to anonymous visitors via the moumprvar JavaScript object, an attacker can supply an arbitrary username_b value to receive a fresh password-reset URL for any user in the 302 Location header. No public exploit identified at time of analysis, but the flaw is trivially scriptable and carries a critical 9.8 CVSS score.

Authentication Bypass WordPress Miniorange Otp Login Verification And Sms Notifications
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy