CVE-2024-11178

Name of the Vulnerable Software and Affected Versions Login With OTP plugin for WordPress versions up to, and including, 1.4.2

Description The issue is due to the plugin generating too weak OTP, with no attempt or time limit. This allows unauthenticated attackers to generate and brute force the 6-digit numeric OTP, making it possible to log in as any existing user on the site, such as an administrator, if they have access to the email.

Recommendations For versions up to, and including, 1.4.2, consider disabling the OTP functionality until a patch is available to prevent brute force attacks. Restrict access to the email associated with administrator accounts to minimize the risk of exploitation. As a temporary workaround, implement additional authentication measures, such as two-factor authentication using a different method, to reduce the risk of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.