CVE-2025-7692
BaseFortify
Publication date: 2025-07-22
Last updated on: 2025-07-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| imran_sayed | orion_login_with_sms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Orion Login with SMS plugin for WordPress allows unauthenticated attackers to bypass authentication. This happens because the function olws_handle_verify_phone() uses a weak OTP value, exposes the hash needed to generate the OTP, and does not limit the number of attempts to submit the code. As a result, attackers who know a user's phone number can log in as that user, including administrators.
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain unauthorized access to user accounts, including administrator accounts, on WordPress sites using the Orion Login with SMS plugin. This can lead to full site compromise, data theft, unauthorized changes, and potential disruption of services.