CVE-2026-8760information

Résumé

par MITRE • 27/05/2026

The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Divulgation

27/05/2026

Modérer

en révision

CPE

En cours

CWE

CWE-307 (non confirmé)

EPSS

0.00000

KEV

non

Activités

très faible

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-8760
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-8760
CVE Details	https://www.cvedetails.com/cve/CVE-2026-8760/

◂ Précédent Aperçu Suivant ▸

Do you know our Splunk app?

Download it now for free!