Executive Summary
A critical authentication bypass vulnerability (CVE-2026-3655) has been discovered in the OTP Login With Phone Number, OTP Verification plugin for WordPress, affecting versions 1.8.50 through 1.8.60. The flaw carries a CVSS score of 9.8 and enables unauthenticated account takeover.
The vulnerability exists in the plugin's Firebase-based OTP verification flow. During the lwp_ajax_register AJAX handler, the plugin verifies a Firebase session token but does not bind that session to the phone number supplied in the login request. An attacker can therefore present a valid Firebase session (obtained for their own phone number) alongside a victim's phone number, triggering authentication as the victim's account without possessing the victim's OTP or credentials.
WordPress site administrators running versions 1.8.50 through 1.8.60 of this plugin should update to a patched release immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-3655 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-287 — Improper Authentication |
| Type | Authentication Bypass / Account Takeover |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Affected Versions | 1.8.50 through 1.8.60 |
| Patch Available | Update to version beyond 1.8.60 |
Affected Versions
| Plugin | Affected Versions | Fixed Version |
|---|---|---|
| OTP Login With Phone Number, OTP Verification | 1.8.50 – 1.8.60 | 1.8.61+ (verify with vendor) |
Technical Analysis
Root Cause
The OTP Login With Phone Number plugin allows WordPress users to authenticate via phone-based OTP. The flow integrates with Firebase Authentication, where a user provides their phone number, receives an OTP via SMS, and Firebase verifies the code and issues a session token.
The critical flaw: the plugin's lwp_ajax_register AJAX handler validates the Firebase token as authentic but does not verify that the token's associated phone number matches the phone number submitted in the login request.
This creates a classic token/identity mismatch vulnerability analogous to OAuth email mismatch issues.
Attack Flow
1. Attacker registers their own phone number with the target WordPress site
2. Attacker completes Firebase OTP verification for their own phone number,
obtaining a valid Firebase session token (firebase_idToken)
3. Attacker identifies or enumerates a victim's phone number on the site
4. Attacker submits a crafted POST request to wp-admin/admin-ajax.php:
- action: lwp_ajax_register
- firebase_idToken: [attacker's valid token from step 2]
- phone_number: [victim's phone number]
5. Plugin verifies the Firebase token — it is valid (attacker's real token)
6. Plugin retrieves the WordPress user associated with the victim's phone number
7. Plugin creates an authenticated session for the victim's account
8. Attacker is now logged in as the victim without knowing their OTP or passwordWhy Nonce and Token Validation Are Insufficient
The Firebase ID token proves the attacker authenticated with Firebase using their own phone. It does not prove any relationship between the attacker and the victim's phone number. By accepting a valid token regardless of the phone number it was issued for, the plugin allows trivial account takeover of any phone-registered user.
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Account Takeover | Attacker authenticates as any phone-registered user |
| Administrator Compromise | If an admin account uses phone login, full site control is possible |
| PII Exposure | Access to victim's profile data, orders, and stored information |
| Privilege Escalation | Attacker can act with the victim's WordPress role and permissions |
| Persistent Backdoor | Attacker session can be used to modify account details or add email credentials |
| Trust Abuse | Victim's account can be used to post content, make purchases, or escalate further |
Immediate Remediation
Step 1: Update the Plugin
Update OTP Login With Phone Number, OTP Verification to a version beyond 1.8.60 that includes a fix for this vulnerability.
# Via WP-CLI
wp plugin update login-with-phone-number
# Verify installed version
wp plugin get login-with-phone-number --field=versionOr navigate to WordPress Admin > Plugins > Installed Plugins > OTP Login With Phone Number > Update.
Step 2: Disable Phone-Based OTP Login
If an update cannot be applied immediately, disable the plugin or the phone login feature:
# Deactivate via WP-CLI
wp plugin deactivate login-with-phone-numberAlternatively, disable the OTP login feature in the plugin's settings panel if that option is available.
Step 3: Audit for Account Compromise
# Check for suspicious login sessions (if audit logging is enabled)
wp db query "SELECT user_login, user_email, user_registered FROM wp_users
WHERE user_registered > DATE_SUB(NOW(), INTERVAL 30 DAY);"
# Review user meta for unexpected phone number associations
wp db query "SELECT user_id, meta_key, meta_value FROM wp_usermeta
WHERE meta_key LIKE '%phone%' ORDER BY user_id;"
# List administrator accounts for unauthorized entries
wp user list --role=administrator --fields=user_login,user_email,user_registeredStep 4: Force Re-Authentication
# Invalidate all active sessions (force re-login for all users)
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"
# Regenerate WordPress secret keys and salts
wp config shuffle-saltsDetection Indicators
| Indicator | Description |
|---|---|
lwp_ajax_register in web server access logs | OTP login AJAX endpoint activity |
| Logins from unexpected IP addresses on user accounts | Post-exploitation account use |
| Phone number in request does not match token's phone (if logging Firebase) | Exploitation indicator |
| Unexpected profile data changes or new email addresses added | Attacker modifying account for persistence |
| Multiple login attempts using different phone numbers with same token | Active exploitation probe |
Post-Remediation Checklist
- Update the plugin to version 1.8.61 or later
- Disable phone OTP login if update is delayed
- Invalidate all active WordPress sessions via session token deletion
- Regenerate secret keys with
wp config shuffle-salts - Audit all user accounts — look for unexpected profile changes
- Review web server logs for
lwp_ajax_registerAJAX traffic - Enable two-factor authentication on all administrator accounts (separate mechanism)
- Consider WAF rules to rate-limit or monitor OTP login AJAX calls
- Notify affected users if exploitation is detected