What the vulnerability does
01Description
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.
Explanation of Vulnerability in Simple Terms
02Summary
The OTP Login With Phone Number plugin for WordPress versions 1.8.47 and earlier lacks proper authorization checks. An attacker can bypass authentication and gain unauthorized access to user accounts or administrative functions without needing valid credentials. The vulnerability requires specific network conditions to exploit but can result in full compromise of affected sites.
What an attacker can do
03Attacker Capabilities
Bypass login authentication and access user accounts or admin functions without valid credentials.
Potential impact on your site
04Site Impact
Attackers can take over user accounts or gain admin access, potentially compromising the entire site.
Conditions required to exploit
05Prerequisites
Network access to the site; no user interaction or authentication required.
Key dates
06Disclosure timeline
August 15, 2025
CVE published
April 8, 2026
Record updated