Unrated severityNVD Advisory· Published Oct 17, 2024· Updated Apr 8, 2026

Miniorange OTP Verification with Firebase <= 3.6.0 - Authentication Bypass

CVE-2024-9861

Description

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Miniorange/OTP Verification with Firebasellm-fuzzy
Range: <=3.6.0
Cyberlord92/Miniorange OTP Verification With Firebasev5
Range: 0
WordPress/OTP Verification with Firebasewp-canonicalize

Patches

Vulnerability mechanics

References

plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.phpmitre
plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.phpmitre
plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verificationmitre
www.wordfence.com/threat-intel/vulnerabilities/id/04045ec3-dd8e-4ac5-bd73-eef6205ecc62mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000