CVE-2026-8760
Authentication Bypass in WordPress Login with OTP Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | login_with_otp | to 1.6 (inc) |
| wordfence | login_with_otp | to 1.4.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Login with OTP plugin for WordPress, up to and including version 1.6, has an authentication bypass vulnerability. This occurs because a previous fix for a similar issue (CVE-2024-11178) was incomplete: the rate-limit and lockout checks were only applied during OTP generation, not during OTP validation. Additionally, the 6-digit OTP generated does not expire. As a result, unauthenticated attackers can brute-force the 900,000 possible OTP values for any user account, including administrators, and gain a valid authentication session, leading to full site compromise.
How can this vulnerability impact me? :
This vulnerability allows attackers to bypass authentication without any privileges or user interaction. By brute-forcing the OTP, attackers can log in as any user, including administrators, and gain full control over the WordPress site. This can lead to unauthorized access, data theft, site defacement, or complete takeover of the website.