PT-2025-30390 · WordPress · Orion Login With Sms
Kenneth Dunn
·
Published
2025-07-22
·
Updated
2025-07-22
·
CVE-2025-7692
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Orion Login with SMS plugin for WordPress versions up to and including 1.0.5
Description
The Orion Login with SMS plugin for WordPress is susceptible to authentication bypass due to insufficient security measures in the
olws handle verify phone() function. The function does not employ a sufficiently robust One-Time Password (OTP) value, revealing the hash required to generate the OTP. Additionally, there are no limitations on the number of attempts to submit the code. This allows unauthenticated attackers to gain access to accounts, including administrator accounts, if they have access to the user's phone number.Recommendations
Update Orion Login with SMS plugin for WordPress to a version later than 1.0.5.
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Orion Login With Sms