LoginWithOTPPlugin WP Auth Bypass via Weak OTP (<=1.4.2)
CVE-2024-11178 Published on December 6, 2024
Login With OTP <= 1.4.2 - Authentication Bypass via Weak OTP
The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and theres no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email.
Timeline
Discovered
Disclosed 22 days later.
Weakness Type
Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
Products Associated with CVE-2024-11178
Want to know whenever a new CVE is published for WordPress Login With Otp Plugin? stack.watch will email you.
Affected Versions
india-web-developer Login with OTP:- Before and including 1.4.2 is affected.
- Before and including 1.4.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.