CVE-2026-8760

Name of the Vulnerable Software and Affected Versions Login with OTP plugin for WordPress versions prior to 1.7

Description An authentication bypass exists due to an incomplete fix in the otpl login action() function. The rate-limit and lockout checks are only applied during the OTP generation phase and are not evaluated during the OTP validation phase. Additionally, the generated 6-digit OTP does not expire. This allows unauthenticated attackers to brute-force the 900,000 possible OTP values for any user account, including administrators, to obtain a valid wp set auth cookie() session and achieve full site compromise.

Recommendations Update the plugin to a version later than 1.6.