WordPress Plugin Vulnerabilities

Login With OTP < 1.5 - Authentication Bypass via Weak OTP

Description

The plugin is vulnerable to authentication bypass due to the plugin generating too weak OTP, and there’s no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they know the email address.

Affects Plugins

Fixed in 1.5

References

Classification

Miscellaneous

Original Researcher
István Márton
Verified
No

Timeline

Publicly Published
2024-12-05 (about 1 year ago)
Added
2024-12-06 (about 1 year ago)
Last Updated
2025-07-15 (about 11 months ago)

Other