CVE-2026-14245
Received Received - Intake

Authentication Bypass in miniOrange OTP Login WordPress Plugin

Vulnerability report for CVE-2026-14245, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the `um_reset_password_process_hook()` function performing no server-side verification that the OTP validation step was completed, and relying solely on a public `form_nonce` nonce that the plugin itself emits to unauthenticated visitors via the `moumprvar` JavaScript object on the Ultimate Member password reset page, while still accepting the attacker-controlled `username_b` parameter to target any WordPress user without role restriction or any binding to a previously validated OTP session. This makes it possible for unauthenticated attackers to obtain a freshly generated password-reset URL for an arbitrary Administrator account β€” returned in a 302 `Location` header β€” and use it to take full control of that account. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the plugin to not be configured for phone-only reset.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
miniorange otp_login_verification_and_sms_notifications to 5.5.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress has a vulnerability that allows an attacker to bypass authentication and take over administrator accounts. This happens because the function responsible for processing password resets does not verify that the OTP (One-Time Password) validation step was completed on the server side. Instead, it relies only on a public nonce value that is accessible to unauthenticated users. Additionally, the plugin accepts a parameter that lets an attacker target any WordPress user without restrictions or verification tied to a valid OTP session. As a result, an attacker can generate a password reset URL for any administrator account and use it to gain full control of that account.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to take over administrator accounts on a WordPress site. With administrator access, attackers can fully control the website, including modifying content, installing malicious software, stealing sensitive data, and disrupting site operations. The high CVSS score of 9.8 reflects the critical nature of this risk, indicating it is easy to exploit and results in complete compromise of confidentiality, integrity, and availability.

Compliance Impact

This vulnerability allows unauthenticated attackers to take over administrator accounts by bypassing authentication controls in the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress. Such unauthorized access to administrator accounts can lead to full control over the affected system, potentially resulting in unauthorized access to sensitive personal data.

Because of the high impact on confidentiality, integrity, and availability (CVSS 9.8), exploitation of this vulnerability could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal data. Organizations using the affected plugin without mitigation may fail to meet compliance requirements related to securing user data and preventing unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14245. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart