A critical (CVSS 9.8) authentication bypass in the Login with OTP WordPress plugin lets unauthenticated attackers brute-force a non-expiring 6-digit OTP to hijack any account, including administrators.
What Is It
CVE-2026-8760 is an authentication bypass affecting the Login with OTP plugin for WordPress in all versions up to and including 1.6. The flaw is an incomplete fix for CVE-2024-11178: the rate-limit and lockout check added to otpl_login_action() sits only inside the OTP-generation branch and is never evaluated on the OTP-validation branch. Compounding that, the generated 6-digit OTP has no expiration. The classification is CWE-307 (Improper Restriction of Excessive Authentication Attempts).
Why It Matters
With no rate limiting on validation and no OTP expiry, an unauthenticated attacker can iterate the entire 900,000-value OTP keyspace against any chosen user; administrators included. A successful guess yields a valid wp_set_auth_cookie() session, meaning full site compromise: content tampering, plugin/theme uploads, persistence, and pivoting against site data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable, low-complexity, requires no privileges, and needs no user interaction. Confidentiality, integrity, and availability impact are all High.
What's Vulnerable
- Product: Login with OTP plugin for WordPress
- Affected versions: all versions up to and including 1.6
- Vulnerable code paths:
otpl_login_action()inlib/otpl-class.php(validation branch missing the lockout check; OTP generated without expiration) - Attacker prerequisites: none; unauthenticated, network-only
Patch Status
The supplied source material does not identify a fixed version. Disclosure is credited to Wordfence ([email protected]), and the NVD record was published 2026-05-27 with status "Received." Until a confirmed patched release is available, operators should disable or remove the Login with OTP plugin and audit administrator accounts for unexpected sessions or logins. No CISA KEV entry was supplied with this advisory, so active exploitation is not confirmed at time of writing.