{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-8760/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-8760"},{"cvss":8.1,"id":"CVE-2024-11178"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Login with OTP plugin"],"_cs_severities":["critical"],"_cs_tags":["wordpress","authentication-bypass","cve-2026-8760","brute-force"],"_cs_type":"threat","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Login with OTP plugin for WordPress, in versions up to and including 1.6, is vulnerable to an authentication bypass (CVE-2026-8760). This vulnerability stems from an incomplete fix for CVE-2024-11178. The rate-limiting and lockout mechanisms implemented in \u003ccode\u003eotpl_login_action()\u003c/code\u003e are only applied during OTP generation, and not during OTP validation. Additionally, the generated 6-digit OTP codes do not expire. This design flaw allows unauthenticated attackers to systematically brute-force the 900,000 possible OTP values for any user account, including administrators. Successful brute-forcing leads to obtaining a valid \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e session, resulting in complete compromise of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target WordPress site using the vulnerable Login with OTP plugin.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the WordPress login page.\u003c/li\u003e\n\u003cli\u003eAttacker enters a valid username for an existing account (e.g., administrator).\u003c/li\u003e\n\u003cli\u003eThe site requests an OTP, which is sent to the user (but intercepted by the attacker).\u003c/li\u003e\n\u003cli\u003eAttacker initiates a brute-force attack by submitting numerous login attempts with different OTP values via HTTP POST requests.\u003c/li\u003e\n\u003cli\u003eThe OTP validation branch in \u003ccode\u003eotpl_login_action()\u003c/code\u003e lacks rate limiting, enabling rapid attempts.\u003c/li\u003e\n\u003cli\u003eAttacker iterates through the 900,000 possible 6-digit OTP values until a correct value is guessed.\u003c/li\u003e\n\u003cli\u003eUpon successful validation, the attacker receives a \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e session cookie, granting them authenticated access to the targeted WordPress account with the privileges of that user (e.g. administrator).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass the intended OTP-based authentication mechanism, gaining unauthorized access to WordPress accounts, including those with administrative privileges. This can lead to complete site compromise, including data theft, defacement, malware injection, and denial of service. Given the widespread use of WordPress, a large number of websites are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect brute-force attempts against the WordPress login page based on frequent POST requests, looking for the \u003ccode\u003ewp-login.php\u003c/code\u003e and \u003ccode\u003eotpl_login_action\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eDisable the Login with OTP plugin until a patched version is available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual POST request patterns to \u003ccode\u003ewp-login.php\u003c/code\u003e, especially involving the \u003ccode\u003eotpl_login_action\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to rate-limit login attempts and block suspicious IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T07:18:00Z","date_published":"2026-05-27T07:18:00Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8760-wordpress-otp-bypass/","summary":"The Login with OTP plugin for WordPress is vulnerable to authentication bypass due to an incomplete fix for CVE-2024-11178, allowing unauthenticated attackers to brute-force OTP codes and gain administrative access.","title":"CVE-2026-8760: WordPress Login with OTP Plugin Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8760-wordpress-otp-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-8760","version":"https://jsonfeed.org/version/1.1"}