Overview
CVE-2026-12492 is a critical authentication bypass vulnerability (CVSS 9.8) in the Happy Coders OTP Login for WooCommerce WordPress plugin, affecting all versions before 2.8. A remote, unauthenticated attacker can log in as any existing WordPress user — including site administrators — without providing a valid one-time password.
The flaw was discovered by security researcher moonge and submitted via WPScan. The NVD record was published on July 16, 2026; WPScan will release full PoC details on July 22, 2026 to allow a patching window.
| Field | Value |
|---|---|
| CVE | CVE-2026-12492 |
| CVSS v3.1 | 9.8 Critical |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-287 — Improper Authentication |
| Affected | versions 1.5 – 2.7 |
| Fixed | 2.8 (released June 24, 2026) |
Root Cause
The plugin's hcotp_auto_login_user AJAX handler was registered as a public WordPress AJAX endpoint (wp_ajax_nopriv_<action>), meaning it was accessible to any unauthenticated visitor. When called with a valid user identifier, the handler authenticated WordPress as that user without verifying that an OTP had been successfully completed.
Compounding the issue, the required WordPress nonce value was logged to the browser developer console via a console.log call in the plugin's front-end JavaScript, making it trivially retrievable from any page where the login form appeared.
Attack Flow
- Load any page of the target site with the OTP login form present.
- Open browser developer console to retrieve the nonce value logged by the plugin.
- Send a POST request to
wp-admin/admin-ajax.php?action=hcotp_auto_login_userwith the target user's ID and the nonce. - Receive an authenticated session for the target account — no OTP sent, no phone number verified.
WordPress user IDs are easily enumerated via the REST API (/wp/v2/users) or author archive pages unless separately hardened.
Additional Vulnerabilities Fixed in 2.8
The same patch addressed a cluster of related security issues found during the same audit:
- WhatsApp OTP replay — OTPs stored without expiry and not invalidated after use
- Rate-limit bypass — counter not initialized before the DB lookup; bypassable when the rate-limit table was unavailable
- Plaintext OTP storage — WhatsApp OTPs stored in plaintext; changed to
wp_hash_passwordbcrypt hashes - Email account enumeration — distinct error response for unregistered emails leaked registration status
- XSS via server messages — error output rendered via
.html()instead of.text() console.logcredential exposure — nonce and plugin config logged to browser console- Insecure cookies — verification cookies missing
HttpOnly,Secure, andSameSite=Strict - Privilege check missing — settings migration function lacked
manage_optionscapability check
Affected Products
- Happy Coders OTP Login for WooCommerce versions 1.5 through 2.7 (all versions where the OTP feature existed)
- The plugin uses the MSG91 SMS/WhatsApp gateway for OTP delivery and is primarily used by WooCommerce stores replacing password login with phone-based authentication.
Remediation
Update immediately to version 2.8 or later.
# WP-CLI update
wp plugin update happy-coders-otp-loginOr update via Plugins → Installed Plugins → Update in the WordPress admin dashboard.
If an immediate update is not possible, deactivate the plugin to remove the vulnerable AJAX endpoint from your attack surface.
Post-Patch Hardening
- Enable WordPress user enumeration protection to prevent trivial user ID discovery
- Review server logs for unexpected
admin-ajax.php?action=hcotp_auto_login_userrequests predating the patch - Check for unauthorized administrator accounts or password changes
- Consider enabling a Web Application Firewall (WAF) rule blocking unauthenticated AJAX endpoints that perform authentication actions