Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.8

CVE-2026-8760: WordPress Login with OTP Plugin Authentication Bypass in All Versions

CVE-2026-8760
Summary

The WordPress Login with OTP plugin is vulnerable to unauthorized access, which could allow hackers to gain control of your website. This affects all versions up to 1.6. To protect your site, update to the latest version of the plugin.

Original title
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout...
Original description
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.
nvd CVSS3.1 9.8
Vulnerability type
CWE-307
Published: 27 May 2026 · Updated: 30 May 2026 · First seen: 27 May 2026