A critical authentication bypass (CVSS 9.8) in the OTP Login With Phone Number plugin lets unauthenticated attackers log in as any user, including administrators, by abusing a broken Firebase verification flow.
What Is It
CVE-2026-3655 is a CWE-287 (Improper Authentication) flaw in the OTP Login With Phone Number, OTP Verification plugin for WordPress. The lwp_ajax_register AJAX handler invokes idehweb_lwp_activate_through_firebase() to confirm that a Firebase OTP session is legitimate, but it never compares the phoneNumber returned by Firebase against the phone number supplied in the request or stored on the targeted user. Because the Firebase session is not bound to the victim's phone number, an attacker can verify their own Firebase session and simultaneously submit a victim's phone number, causing the plugin to authenticate them as that victim.
Why It Matters
The vector is network-based, requires no privileges, and needs no user interaction. Any WordPress site running an affected version of the plugin with administrators (or other privileged users) whose phone numbers are stored in user meta is reachable for full account takeover by an unauthenticated attacker. Successful exploitation yields complete confidentiality, integrity, and availability impact on the WordPress site; earning the 9.8 CRITICAL score. There is no CISA KEV entry confirming active exploitation at this time.
What's Vulnerable
- Plugin: OTP Login With Phone Number, OTP Verification (WordPress)
- Affected versions: 1.8.50 through 1.8.60
- Root cause: Firebase session not bound to the supplied phone number in the
lwp_ajax_registerhandler (inc/ajax-handlers.php) - Precondition: Target user (e.g., administrator) has a phone number stored in WordPress user meta
Patch Status
A fix is reflected in the plugin's trunk via changeset 3479314, which modifies inc/ajax-handlers.php relative to the vulnerable 1.8.60 tag. Site operators should update to a version newer than 1.8.60 that incorporates this changeset and audit administrator accounts and user-meta phone numbers for signs of abuse.