CVE-2026-8760المعلومات

الملخص

بحسب MITRE • 27/05/2026

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

إفشاء

27/05/2026

الاعتدال

قيد المراجعة

CPE

جاري المعالجة

CWE

CWE-307 (غير مؤكد)

EPSS

0.00000

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-8760
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-8760
CVE Details	https://www.cvedetails.com/cve/CVE-2026-8760/

التالي ▸نظرة عامة ◂ السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!