CVE-2026-3655 CRITICAL

CVE-2026-3655: OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification

Vendor Glboy
Product OTP Login With Phone Number, OTP Verification
Weakness CWE-287 · Improper authentication
Published May 29, 2026
Last update May 29, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request.

Explanation of Vulnerability in Simple Terms

02Summary

The OTP Login With Phone Number plugin versions 1.8.50 through 1.8.60 contain an authentication bypass vulnerability. Attackers can bypass the OTP verification process without providing valid credentials, gaining unauthorized access to user accounts. No authentication or user interaction is required to exploit this flaw. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Bypass OTP verification and log in to any user account without a valid one-time password.

Potential impact on your site

04Site Impact

Attackers can take over any user account, including administrators, without knowing passwords or OTP codes.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated