CVE-2025-7692 HIGH

CVE-2025-7692: Orion Login with SMS <= 1.0.5 - Authentication Bypass via Weak OTP

Vendor Gsayed786
Product Orion Login with SMS
Weakness CWE-288
Published July 22, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.

Explanation of Vulnerability in Simple Terms

02Summary

Orion Login with SMS versions 1.0.5 and earlier contain an authentication bypass vulnerability. An attacker can exploit weak or missing authentication mechanisms to gain unauthorized access without valid credentials. The vulnerability requires specific network conditions but does not require user interaction. Affected sites should update immediately.

What an attacker can do

03Attacker Capabilities

Bypass authentication and gain unauthorized access to the site without valid credentials.

Potential impact on your site

04Site Impact

Attackers can log in as any user, read sensitive data, modify content, or disable the site.

Conditions required to exploit

05Prerequisites

Network access to the site; no user credentials or interaction required.

Key dates

06Disclosure timeline

July 22, 2025 CVE published
April 8, 2026 Record updated