CVE-2026-8760
Deferred Deferred - Pending Action
Authentication Bypass in WordPress Login with OTP Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-8760
EUVD
EUVD-2026-32084
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence login_with_otp to 1.6 (inc)
wordfence login_with_otp to 1.4.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Login with OTP plugin for WordPress, up to and including version 1.6, has an authentication bypass vulnerability. This occurs because a previous fix for a similar issue (CVE-2024-11178) was incomplete: the rate-limit and lockout checks were only applied during OTP generation, not during OTP validation. Additionally, the 6-digit OTP generated does not expire. As a result, unauthenticated attackers can brute-force the 900,000 possible OTP values for any user account, including administrators, and gain a valid authentication session, leading to full site compromise.

Impact Analysis

This vulnerability allows attackers to bypass authentication without any privileges or user interaction. By brute-forcing the OTP, attackers can log in as any user, including administrators, and gain full control over the WordPress site. This can lead to unauthorized access, data theft, site defacement, or complete takeover of the website.

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and gain full site compromise, including administrator access. This can lead to unauthorized access to sensitive personal data stored or processed by the WordPress site.

Such unauthorized access and potential data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and health information.

Specifically, failure to protect user authentication mechanisms and prevent unauthorized access may violate requirements for data confidentiality, integrity, and security under these standards.

Mitigation Strategies

To mitigate this vulnerability, you should immediately update the Login with OTP plugin for WordPress to a version later than 1.6 where the authentication bypass issue is fixed.

Since the vulnerability allows brute forcing of the 6-digit OTP without expiration or proper rate limiting, disabling the plugin temporarily until an update is applied can prevent exploitation.

Additionally, monitoring login attempts and implementing additional rate limiting or multi-factor authentication methods can help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart