CVE-2026-8760: WordPress Login with OTP Plugin Authentication Bypass

The Login with OTP plugin for WordPress, in versions up to and including 1.6, is vulnerable to an authentication bypass (CVE-2026-8760). This vulnerability stems from an incomplete fix for CVE-2024-11178. The rate-limiting and lockout mechanisms implemented in otpl_login_action() are only applied during OTP generation, and not during OTP validation. Additionally, the generated 6-digit OTP codes do not expire. This design flaw allows unauthenticated attackers to systematically brute-force the 900,000 possible OTP values for any user account, including administrators. Successful brute-forcing leads to obtaining a valid wp_set_auth_cookie() session, resulting in complete compromise of the WordPress site.

Attack Chain

1. Attacker identifies a target WordPress site using the vulnerable Login with OTP plugin.
2. Attacker navigates to the WordPress login page.
3. Attacker enters a valid username for an existing account (e.g., administrator).
4. The site requests an OTP, which is sent to the user (but intercepted by the attacker).
5. Attacker initiates a brute-force attack by submitting numerous login attempts with different OTP values via HTTP POST requests.
6. The OTP validation branch in otpl_login_action() lacks rate limiting, enabling rapid attempts.
7. Attacker iterates through the 900,000 possible 6-digit OTP values until a correct value is guessed.
8. Upon successful validation, the attacker receives a wp_set_auth_cookie() session cookie, granting them authenticated access to the targeted WordPress account with the privileges of that user (e.g. administrator).

Impact

Successful exploitation of this vulnerability allows attackers to bypass the intended OTP-based authentication mechanism, gaining unauthorized access to WordPress accounts, including those with administrative privileges. This can lead to complete site compromise, including data theft, defacement, malware injection, and denial of service. Given the widespread use of WordPress, a large number of websites are potentially vulnerable.

Recommendation

• Deploy the Sigma rule provided below to detect brute-force attempts against the WordPress login page based on frequent POST requests, looking for the wp-login.php and otpl_login_action parameters.
• Disable the Login with OTP plugin until a patched version is available.
• Monitor web server logs for unusual POST request patterns to wp-login.php, especially involving the otpl_login_action action.
• Implement web application firewall (WAF) rules to rate-limit login attempts and block suspicious IP addresses.