{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/miniorange/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-14245"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["miniOrange OTP Login, Verification and SMS Notifications plugin \u003c 5.5.1"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","authentication-bypass","web","cve"],"_cs_type":"advisory","_cs_vendors":["miniOrange"],"content_html":"\u003cp\u003eThe miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress versions up to and including 5.5.1 is vulnerable to an authentication bypass, identified as CVE-2026-14245. This flaw stems from the \u003ccode\u003eum_reset_password_process_hook()\u003c/code\u003e function's failure to perform server-side verification that the One-Time Password (OTP) validation step was completed. The plugin also emits a public \u003ccode\u003eform_nonce\u003c/code\u003e via a JavaScript object on the Ultimate Member password reset page, which attackers can leverage. By combining this nonce with an attacker-controlled \u003ccode\u003eusername_b\u003c/code\u003e parameter, an unauthenticated actor can target any WordPress user, including Administrators, and obtain a password-reset URL for their account. This critical vulnerability allows for full account takeover and enables unauthorized administrative control over the affected WordPress instance. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the miniOrange plugin not configured for phone-only reset.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the vulnerable miniOrange OTP Login, Verification and SMS Notifications plugin (versions \u0026lt;= 5.5.1) with the Ultimate Member Password Reset Form integration active.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Ultimate Member password reset page, where the plugin publicly emits a \u003ccode\u003eform_nonce\u003c/code\u003e via the \u003ccode\u003emoumprvar\u003c/code\u003e JavaScript object. The attacker extracts this nonce value.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request (likely a POST request) to the server-side password reset handler (e.g., associated with the \u003ccode\u003eum_reset_password_process_hook()\u003c/code\u003e function).\u003c/li\u003e\n\u003cli\u003eThis request includes the extracted \u003ccode\u003eform_nonce\u003c/code\u003e and an attacker-chosen \u003ccode\u003eusername_b\u003c/code\u003e parameter, targeting an existing Administrator account on the WordPress site.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the server processes the request without validating whether the OTP verification step was successfully completed for the targeted user.\u003c/li\u003e\n\u003cli\u003eThe server responds with an HTTP 302 redirect, providing a freshly generated password-reset URL in the \u003ccode\u003eLocation\u003c/code\u003e header for the specified Administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this URL to set a new password for the Administrator account, thereby gaining full administrative control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-14245 is severe, as it allows any unauthenticated attacker to gain full administrative control over a vulnerable WordPress site. This can lead to complete compromise of the website, including data exfiltration, website defacement, injection of malicious content, establishment of persistent backdoors, and use of the site for further attacks (e.g., phishing or malware distribution). The vulnerability, with a CVSS v3.1 Base Score of 9.8 (Critical), signifies a high likelihood of successful exploitation with devastating consequences for the affected organization, impacting website integrity, data confidentiality, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the miniOrange OTP Login, Verification and SMS Notifications plugin to a patched version beyond 5.5.1 to address CVE-2026-14245.\u003c/li\u003e\n\u003cli\u003eReview the configuration of the miniOrange OTP plugin to ensure it is not configured for phone-only reset if other reset methods are intended to be secured.\u003c/li\u003e\n\u003cli\u003eAudit WordPress user accounts, especially Administrator accounts, for any unauthorized password changes or suspicious activity that may indicate prior exploitation of CVE-2026-14245.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T08:22:33Z","date_published":"2026-07-09T08:22:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-miniorange-auth-bypass/","summary":"A critical authentication bypass vulnerability, CVE-2026-14245, exists in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress, affecting all versions up to 5.5.1, allowing unauthenticated attackers to obtain a password-reset URL for an arbitrary Administrator account and achieve full account takeover due to a lack of server-side OTP verification and reliance on a publicly exposed `form_nonce`.","title":"CVE-2026-14245 - miniOrange OTP WordPress Plugin Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-miniorange-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - MiniOrange","version":"https://jsonfeed.org/version/1.1"}