What the vulnerability does
01Description
The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number
Explanation of Vulnerability in Simple Terms
02Summary
Orion SMS OTP Verification versions 1.1.7 and earlier contain an authentication bypass vulnerability. An attacker can exploit weak or missing authentication mechanisms to gain unauthorized access to the system without valid credentials. This affects all confidentiality, integrity, and availability of the application. Immediate patching is required.
What an attacker can do
03Attacker Capabilities
Bypass authentication and gain full unauthorized access to the system without valid credentials.
Potential impact on your site
04Site Impact
Attackers can read, modify, or delete all data; compromise user accounts and SMS OTP tokens; disrupt service availability.
Conditions required to exploit
05Prerequisites
Network access only; no authentication, user interaction, or special privileges required.
Key dates
06Disclosure timeline
October 15, 2025
CVE published
April 8, 2026
Record updated