CVE-2026-12492

CVE-2026-12492: Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user

Vendor Unknown
Product Happy Coders OTP Login for WooCommerce
Published July 16, 2026
Last update July 16, 2026

CVSS base score

What the vulnerability does

01Description

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.

Key dates

02Disclosure timeline

July 16, 2026 CVE published
July 16, 2026 Record updated