CVE-2026-8760
Description
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to otpl_login_action() was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid wp_set_auth_cookie() session, leading to full site compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unpatched brute-force of 6-digit OTP in WordPress Login with OTP plugin (≤1.6) enables unauthenticated attackers to log in as any user by bypassing incomplete rate-limiting.
Vulnerability
The Login with OTP plugin for WordPress up to version 1.6 fails to enforce rate-limiting or lockout on the OTP validation branch. An earlier attempt to fix CVE-2024-11178 [1] added a check only to otpl_login_action() during OTP generation, but not during actual OTP validation. The generated 6-digit numeric OTP also lacks an expiration time, leaving the entire 900,000-value space (000000–999999) perpetually valid. Affected versions: all up to and including 1.6 [CVE description].
Exploitation
An unauthenticated attacker needs network access to the WordPress login endpoint and knowledge of a target username (e.g., an administrator email). Because no lockout or rate-limit exists on the OTP validation URL, the attacker can script repeated submissions of random 6-digit OTPs. The volume of requests required is bounded by the OTP space size, and no per-IP or per-user throttling is applied. The attack is feasible in minutes or hours depending on network speed [CVE description].
Impact
Successful brute-force of a valid OTP yields a valid wp_set_auth_cookie() session for that user, granting unauthenticated full-site access. Privilege escalation is immediate if the compromised account is an administrator, leading to complete site compromise including data theft, modification, and potential server-level control [CVE description] [1].
Mitigation
As of the publication date (2026-05-27), no patched version has been announced. The vendor must release a version beyond 1.6 that implements rate-limiting/lockout on the validation branch and sets an OTP expiration (e.g., 5–10 minutes). Until then, site administrators should temporarily disable the plugin or implement external web application firewall (WAF) rules to block rapid OTP requests. The CVE is not yet listed in CISA KEV [CVE description] [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.6
Patches
1r3216953Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- nvd.nist.gov/vuln/detail/CVE-2024-11178nvd
- plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.phpnvd
- plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.phpnvd
- plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.phpnvd
- plugins.trac.wordpress.org/browser/otp-login/tags/1.6/lib/otpl-class.phpnvd
- plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.phpnvd
- plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.phpnvd
- plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.phpnvd
- plugins.trac.wordpress.org/browser/otp-login/trunk/lib/otpl-class.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/ad22cb24-e6a0-456f-afe8-88a39acd97d3nvd
News mentions
0No linked articles in our index yet.