Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1925+ Articles
150+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-12492: WooCommerce OTP Login Plugin Auth Bypass — Full Admin Takeover
CVE-2026-12492: WooCommerce OTP Login Plugin Auth Bypass — Full Admin Takeover

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-12492

CVE-2026-12492: WooCommerce OTP Login Plugin Auth Bypass — Full Admin Takeover

The Happy Coders OTP Login for WooCommerce plugin before 2.8 allows unauthenticated attackers to bypass OTP verification and log in as any WordPress user, including administrators.

Dylan H.

Security Team

July 16, 2026
3 min read

Affected Products

  • Happy Coders OTP Login for WooCommerce < 2.8

Overview

CVE-2026-12492 is a critical authentication bypass vulnerability (CVSS 9.8) in the Happy Coders OTP Login for WooCommerce WordPress plugin, affecting all versions before 2.8. A remote, unauthenticated attacker can log in as any existing WordPress user — including site administrators — without providing a valid one-time password.

The flaw was discovered by security researcher moonge and submitted via WPScan. The NVD record was published on July 16, 2026; WPScan will release full PoC details on July 22, 2026 to allow a patching window.

FieldValue
CVECVE-2026-12492
CVSS v3.19.8 Critical
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWECWE-287 — Improper Authentication
Affectedversions 1.5 – 2.7
Fixed2.8 (released June 24, 2026)

Root Cause

The plugin's hcotp_auto_login_user AJAX handler was registered as a public WordPress AJAX endpoint (wp_ajax_nopriv_<action>), meaning it was accessible to any unauthenticated visitor. When called with a valid user identifier, the handler authenticated WordPress as that user without verifying that an OTP had been successfully completed.

Compounding the issue, the required WordPress nonce value was logged to the browser developer console via a console.log call in the plugin's front-end JavaScript, making it trivially retrievable from any page where the login form appeared.

Attack Flow

  1. Load any page of the target site with the OTP login form present.
  2. Open browser developer console to retrieve the nonce value logged by the plugin.
  3. Send a POST request to wp-admin/admin-ajax.php?action=hcotp_auto_login_user with the target user's ID and the nonce.
  4. Receive an authenticated session for the target account — no OTP sent, no phone number verified.

WordPress user IDs are easily enumerated via the REST API (/wp/v2/users) or author archive pages unless separately hardened.

Additional Vulnerabilities Fixed in 2.8

The same patch addressed a cluster of related security issues found during the same audit:

  • WhatsApp OTP replay — OTPs stored without expiry and not invalidated after use
  • Rate-limit bypass — counter not initialized before the DB lookup; bypassable when the rate-limit table was unavailable
  • Plaintext OTP storage — WhatsApp OTPs stored in plaintext; changed to wp_hash_password bcrypt hashes
  • Email account enumeration — distinct error response for unregistered emails leaked registration status
  • XSS via server messages — error output rendered via .html() instead of .text()
  • console.log credential exposure — nonce and plugin config logged to browser console
  • Insecure cookies — verification cookies missing HttpOnly, Secure, and SameSite=Strict
  • Privilege check missing — settings migration function lacked manage_options capability check

Affected Products

  • Happy Coders OTP Login for WooCommerce versions 1.5 through 2.7 (all versions where the OTP feature existed)
  • The plugin uses the MSG91 SMS/WhatsApp gateway for OTP delivery and is primarily used by WooCommerce stores replacing password login with phone-based authentication.

Remediation

Update immediately to version 2.8 or later.

# WP-CLI update
wp plugin update happy-coders-otp-login

Or update via Plugins → Installed Plugins → Update in the WordPress admin dashboard.

If an immediate update is not possible, deactivate the plugin to remove the vulnerable AJAX endpoint from your attack surface.

Post-Patch Hardening

  • Enable WordPress user enumeration protection to prevent trivial user ID discovery
  • Review server logs for unexpected admin-ajax.php?action=hcotp_auto_login_user requests predating the patch
  • Check for unauthorized administrator accounts or password changes
  • Consider enabling a Web Application Firewall (WAF) rule blocking unauthenticated AJAX endpoints that perform authentication actions

References

  • NVD — CVE-2026-12492
  • WPScan Vulnerability DB
  • WordPress.org Plugin — Happy Coders OTP Login
#CVE-2026-12492#WordPress#WooCommerce#Authentication Bypass#CWE-287#Critical

Related Articles

CVE-2026-15013: WordPress SAML SSO Plugin — Algorithm Confusion Auth Bypass

The miniOrange SAML Single Sign On plugin for WordPress through version 5.4.3 allows unauthenticated attackers to log in as any user via an RSA-to-HMAC algorithm confusion attack against the SAML signature verification logic.

4 min read

CVE-2026-9725: Critical WordPress WooCommerce Plugin File Deletion

A CVSS 9.1 critical unauthenticated arbitrary file deletion vulnerability in the Printcart Web to Print Product Designer for WooCommerce plugin affects...

4 min read

CVE-2026-49777: CVSS 10 Flaw in WooCommerce Product Slider Pro Enables Malware Implantation

A maximum-severity input validation vulnerability in Product Slider Pro for WooCommerce allows attackers to implant malicious software. Affects all versions…

5 min read
Back to all Security Alerts