WordPress · Login With Otp · CVE-2026-8760
**Name of the Vulnerable Software and Affected Versions**
Login with OTP plugin for WordPress versions prior to 1.7
**Description**
An authentication bypass exists due to an incomplete fix in the `otpl login action()` function. The rate-limit and lockout checks are only applied during the OTP generation phase and are not evaluated during the OTP validation phase. Additionally, the generated 6-digit OTP does not expire. This allows unauthenticated attackers to brute-force the 900,000 possible OTP values for any user account, including administrators, to obtain a valid `wp set auth cookie()` session and achieve full site compromise.
**Recommendations**
Update the plugin to a version later than 1.6.