CVE-2026-3655

Name of the Vulnerable Software and Affected Versions OTP Login With Phone Number, OTP Verification plugin for WordPress versions 1.8.50 through 1.8.60

Description An authentication bypass exists due to the Firebase verification flow in the 'lwp ajax register' AJAX handler not binding the Firebase session to the phone number supplied in the request. The idehweb lwp activate through firebase() function validates the legitimacy of a Firebase OTP session, but it fails to compare the phoneNumber returned by Firebase against the victim's stored phone number. This allows unauthenticated attackers to authenticate as any user with a phone number stored in user meta, including administrators, by verifying their own Firebase session and providing the victim's phone number in the request.

Recommendations Update the plugin to a version later than 1.8.60. As a temporary workaround, restrict access to the 'lwp ajax register' AJAX handler to minimize the risk of exploitation.