What the vulnerability does
01Description
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request.
Explanation of Vulnerability in Simple Terms
02Summary
The OTP Login With Phone Number plugin versions 1.8.50 through 1.8.60 contain an authentication bypass vulnerability. Attackers can bypass the OTP verification process without providing valid credentials, gaining unauthorized access to user accounts. No authentication or user interaction is required to exploit this flaw. Sites running affected versions should update immediately.
What an attacker can do
03Attacker Capabilities
Bypass OTP verification and log in to any user account without a valid one-time password.
Potential impact on your site
04Site Impact
Attackers can take over any user account, including administrators, without knowing passwords or OTP codes.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 29, 2026
CVE published
May 29, 2026
Record updated