CVE-2025-9967

Name of the Vulnerable Software and Affected Versions Orion SMS OTP Verification plugin for WordPress versions through 1.1.7

Description The Orion SMS OTP Verification plugin for WordPress is susceptible to privilege escalation, leading to potential account takeover. The issue stems from insufficient user identity validation before password updates, allowing unauthenticated attackers to modify user passwords. If an attacker knows a user's phone number, they can change the user's password to a one-time password. There is no mention of the number of potentially affected devices or any real-world incidents where this issue was exploited. The vulnerable process involves updating a user's password without proper authentication.

Recommendations Update the Orion SMS OTP Verification plugin to version 1.1.8 or later. As a temporary measure, disable the Orion SMS OTP Verification plugin to protect your site.