{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3655/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-3655"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OTP Login With Phone Number, OTP Verification plugin"],"_cs_severities":["critical"],"_cs_tags":["authentication-bypass","wordpress","plugin","cve-2026-3655","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe OTP Login With Phone Number, OTP Verification plugin for WordPress is susceptible to an authentication bypass vulnerability affecting versions 1.8.50 through 1.8.60. This flaw stems from the lack of binding between the Firebase verification session and the phone number provided by the user within the \u003ccode\u003elwp_ajax_register\u003c/code\u003e AJAX handler. Specifically, the \u003ccode\u003eidehweb_lwp_activate_through_firebase()\u003c/code\u003e function validates the Firebase OTP session\u0026rsquo;s legitimacy but neglects to compare the \u003ccode\u003ephoneNumber\u003c/code\u003e returned by Firebase against the phone number stored in the user\u0026rsquo;s metadata. This oversight enables unauthenticated attackers to gain unauthorized access as any user, including those with administrative privileges, simply by verifying their own Firebase session and submitting a request containing the target user\u0026rsquo;s phone number.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using a vulnerable version of the OTP Login With Phone Number, OTP Verification plugin (1.8.50 - 1.8.60).\u003c/li\u003e\n\u003cli\u003eAttacker registers a phone number with Firebase to obtain a valid Firebase OTP session.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request to the \u003ccode\u003elwp_ajax_register\u003c/code\u003e AJAX handler.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the attacker\u0026rsquo;s valid Firebase OTP session data and the victim\u0026rsquo;s phone number (obtained through OSINT or other means).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eidehweb_lwp_activate_through_firebase()\u003c/code\u003e function validates the Firebase session but fails to verify if the \u003ccode\u003ephoneNumber\u003c/code\u003e returned by Firebase matches the phone number associated with the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker is authenticated as the user whose phone number was provided in the request (the victim), bypassing the intended OTP verification.\u003c/li\u003e\n\u003cli\u003eIf the targeted user has administrative privileges, the attacker gains full control over the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform any actions allowed by the compromised account, such as installing plugins, modifying content, or creating new administrative accounts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication and gain unauthorized access to WordPress accounts. The severity of the impact depends on the privileges of the compromised account. If an administrator account is compromised, the attacker gains full control over the WordPress site, leading to potential data theft, defacement, or complete system compromise. Given the widespread use of WordPress and this plugin, a large number of websites are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the OTP Login With Phone Number, OTP Verification plugin to a version higher than 1.8.60 to patch CVE-2026-3655.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WordPress OTP Login Plugin Authentication Bypass Attempt\u0026rdquo; to identify suspicious requests to the \u003ccode\u003elwp_ajax_register\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP POST requests to \u003ccode\u003elwp_ajax_register\u003c/code\u003e with unusual parameters or suspicious patterns in the request body.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all WordPress accounts, especially those with administrative privileges, as a defense-in-depth measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T08:16:49Z","date_published":"2026-05-29T08:16:49Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-3655-wordpress-auth-bypass/","summary":"The OTP Login With Phone Number, OTP Verification plugin for WordPress versions 1.8.50 through 1.8.60 is vulnerable to authentication bypass due to improper validation of the Firebase session, allowing unauthenticated attackers to authenticate as arbitrary users, including administrators, by supplying a victim's phone number.","title":"CVE-2026-3655: WordPress OTP Login Plugin Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-3655-wordpress-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3655","version":"https://jsonfeed.org/version/1.1"}