<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>MiniOrange - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/miniorange/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 08:22:33 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/miniorange/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14245 - miniOrange OTP WordPress Plugin Authentication Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-miniorange-auth-bypass/</link><pubDate>Thu, 09 Jul 2026 08:22:33 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-miniorange-auth-bypass/</guid><description>A critical authentication bypass vulnerability, CVE-2026-14245, exists in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress, affecting all versions up to 5.5.1, allowing unauthenticated attackers to obtain a password-reset URL for an arbitrary Administrator account and achieve full account takeover due to a lack of server-side OTP verification and reliance on a publicly exposed `form_nonce`.</description><content:encoded><![CDATA[<p>The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress versions up to and including 5.5.1 is vulnerable to an authentication bypass, identified as CVE-2026-14245. This flaw stems from the <code>um_reset_password_process_hook()</code> function's failure to perform server-side verification that the One-Time Password (OTP) validation step was completed. The plugin also emits a public <code>form_nonce</code> via a JavaScript object on the Ultimate Member password reset page, which attackers can leverage. By combining this nonce with an attacker-controlled <code>username_b</code> parameter, an unauthenticated actor can target any WordPress user, including Administrators, and obtain a password-reset URL for their account. This critical vulnerability allows for full account takeover and enables unauthorized administrative control over the affected WordPress instance. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the miniOrange plugin not configured for phone-only reset.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a WordPress site running the vulnerable miniOrange OTP Login, Verification and SMS Notifications plugin (versions &lt;= 5.5.1) with the Ultimate Member Password Reset Form integration active.</li>
<li>The attacker navigates to the Ultimate Member password reset page, where the plugin publicly emits a <code>form_nonce</code> via the <code>moumprvar</code> JavaScript object. The attacker extracts this nonce value.</li>
<li>The attacker crafts a malicious HTTP request (likely a POST request) to the server-side password reset handler (e.g., associated with the <code>um_reset_password_process_hook()</code> function).</li>
<li>This request includes the extracted <code>form_nonce</code> and an attacker-chosen <code>username_b</code> parameter, targeting an existing Administrator account on the WordPress site.</li>
<li>Due to the vulnerability, the server processes the request without validating whether the OTP verification step was successfully completed for the targeted user.</li>
<li>The server responds with an HTTP 302 redirect, providing a freshly generated password-reset URL in the <code>Location</code> header for the specified Administrator account.</li>
<li>The attacker uses this URL to set a new password for the Administrator account, thereby gaining full administrative control over the WordPress site.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The impact of CVE-2026-14245 is severe, as it allows any unauthenticated attacker to gain full administrative control over a vulnerable WordPress site. This can lead to complete compromise of the website, including data exfiltration, website defacement, injection of malicious content, establishment of persistent backdoors, and use of the site for further attacks (e.g., phishing or malware distribution). The vulnerability, with a CVSS v3.1 Base Score of 9.8 (Critical), signifies a high likelihood of successful exploitation with devastating consequences for the affected organization, impacting website integrity, data confidentiality, and availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update the miniOrange OTP Login, Verification and SMS Notifications plugin to a patched version beyond 5.5.1 to address CVE-2026-14245.</li>
<li>Review the configuration of the miniOrange OTP plugin to ensure it is not configured for phone-only reset if other reset methods are intended to be secured.</li>
<li>Audit WordPress user accounts, especially Administrator accounts, for any unauthorized password changes or suspicious activity that may indicate prior exploitation of CVE-2026-14245.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>authentication-bypass</category><category>web</category><category>cve</category></item></channel></rss>