CVE-2026-3655: WordPress OTP Login Plugin Authentication Bypass Vulnerability

The OTP Login With Phone Number, OTP Verification plugin for WordPress is susceptible to an authentication bypass vulnerability affecting versions 1.8.50 through 1.8.60. This flaw stems from the lack of binding between the Firebase verification session and the phone number provided by the user within the lwp_ajax_register AJAX handler. Specifically, the idehweb_lwp_activate_through_firebase() function validates the Firebase OTP session’s legitimacy but neglects to compare the phoneNumber returned by Firebase against the phone number stored in the user’s metadata. This oversight enables unauthenticated attackers to gain unauthorized access as any user, including those with administrative privileges, simply by verifying their own Firebase session and submitting a request containing the target user’s phone number.

Attack Chain

1. Attacker identifies a WordPress site using a vulnerable version of the OTP Login With Phone Number, OTP Verification plugin (1.8.50 - 1.8.60).
2. Attacker registers a phone number with Firebase to obtain a valid Firebase OTP session.
3. Attacker crafts a malicious HTTP POST request to the lwp_ajax_register AJAX handler.
4. The POST request includes the attacker’s valid Firebase OTP session data and the victim’s phone number (obtained through OSINT or other means).
5. The idehweb_lwp_activate_through_firebase() function validates the Firebase session but fails to verify if the phoneNumber returned by Firebase matches the phone number associated with the target user.
6. The attacker is authenticated as the user whose phone number was provided in the request (the victim), bypassing the intended OTP verification.
7. If the targeted user has administrative privileges, the attacker gains full control over the WordPress site.
8. The attacker can now perform any actions allowed by the compromised account, such as installing plugins, modifying content, or creating new administrative accounts.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication and gain unauthorized access to WordPress accounts. The severity of the impact depends on the privileges of the compromised account. If an administrator account is compromised, the attacker gains full control over the WordPress site, leading to potential data theft, defacement, or complete system compromise. Given the widespread use of WordPress and this plugin, a large number of websites are potentially vulnerable.

Recommendation

• Upgrade the OTP Login With Phone Number, OTP Verification plugin to a version higher than 1.8.60 to patch CVE-2026-3655.
• Deploy the Sigma rule “Detect WordPress OTP Login Plugin Authentication Bypass Attempt” to identify suspicious requests to the lwp_ajax_register handler.
• Monitor web server logs for HTTP POST requests to lwp_ajax_register with unusual parameters or suspicious patterns in the request body.
• Implement multi-factor authentication (MFA) for all WordPress accounts, especially those with administrative privileges, as a defense-in-depth measure.