WordPress OTP Login Plugin Unauthenticated Auth Bypass via Firebase (CVE-2026-3655)

Vulnerability Overview Vulnerability Name: OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification CVE ID: CVE-2026-3655 CVSS Score: 9.8 (Critical) Release Date: May 28, 2026 Last Update Date: May 29, 2026 Researcher: lucky_buddy Affected Scope Software Type: Plugin Software Name: login-with-phone-number Affected Versions: 1.8.50 - 1.8.60 Fixed Version: 1.8.61 Remediation Recommendation: Update to version 1.8.61 or any other patched version. Vulnerability Description This vulnerability allows an unauthenticated attacker to bypass authentication via Firebase OTP verification. The root cause is that the AJAX handler in the Firebase verification process does not bind the Firebase session to the phone number provided in the request. The function validates whether the Firebase OTP session is legitimate, but the returned is never compared against the victim's phone number stored in user metadata. This allows the attacker to authenticate using any phone number stored in user metadata, including those of administrators. References plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Related Vulnerabilities WooCommerce OTP Login With Phone Number, OTP Verification <= 1.8.47 - Authentication Bypass - CVE ID: CVE-2025-8342 - CVSS Score: 8.1 - Researcher: Arkadiusz Hydryk - Release Date: August 14, 2025 Login with phone number <= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation - CVE ID: CVE-2024-6482 - CVSS Score: 8.8 - Researcher: Thanh Nam Tran - Release Date: September 14, 2024 Login with phone number <= 1.7.35 - Authenticated (Administrator) Stored Cross-Site Scripting - CVE ID: CVE-2024-37429 - CVSS Score: 4.4 - Researcher: LuxFiz - Release Date: June 28, 2024 Login with phone number <= 1.7.34 - Insecure Password Reset Mechanism - CVE ID: CVE-2024-6125 - CVSS Score: 8.1 - Researcher: István Márton - Release Date: June 18, 2024 Login with phone number <= 1.7.26 - Authentication Bypass due to Missing Empty Value Check - CVE ID: CVE-2024-5150 - CVSS Score: 9.8 - Researcher: István Márton - Release Date: May 28, 2024 Login with phone number <= 1.7.18 - Missing Authorization - CVE ID: CVE-2024-34371 - CVSS Score: 4.3 - Researcher: Dhabaleshwar Das - Release Date: May 3, 2024 Login with phone number <= 1.6.93 - Missing Authorization - CVE ID: CVE-2024-32932 - CVSS Score: 5.3 - Researcher: Majed Refaa - Release Date: April 22, 2024 Login with phone number <= 1.7.16 - Unauthorized Account Password Change to Privilege Escalation - CVE ID: CVE-2024-32507 - CVSS Score: 8.8 - Researcher: Emilí Castells - Release Date: April 15, 2024 Login with phone number <= 1.6.93 - Cross-Site Request Forgery - CVE ID: CVE-2024-31424 - CVSS Score: 4.3 - Researcher: Majed Refaa - Release Date: April 10, 2024 Login with phone number <= 1.5.6 - Cross-Site Request Forgery to User Password Change - CVE ID: CVE-2023-4916 - CVSS Score: 8.8 - Researcher: István Márton - Release Date: September 12, 2023 Code Blocks No POC or exploitation code was included in the page.

Goal Reached Thanks to every supporter — we hit 100%!

WordPress OTP Login Plugin Unauthenticated Auth Bypass via Firebase (CVE-2026-3655)

More from this source