Product
A critical authentication bypass vulnerability, CVE-2026-14245, exists in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress, affecting all versions up to 5.5.1, allowing unauthenticated attackers to obtain a password-reset URL for an arbitrary Administrator account and achieve full account takeover due to a lack of server-side OTP verification and reliance on a publicly exposed `form_nonce`.