Authentication Bypass in miniOrange OTP Login Plugin for WordPress
CVE-2026-14245

9.8CRITICAL

What is CVE-2026-14245?

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is susceptible to an Authentication Bypass vulnerability. This flaw allows unauthenticated attackers to exploit the um_reset_password_process_hook() function, which lacks server-side verification for the OTP validation step. Instead, it solely depends on a publicly exposed form_nonce nonce, allowing unauthenticated visitors access to it. Attackers can send a request with a targeted username_b parameter, enabling them to retrieve a password-reset URL for any Administrator account. This exploit occurs if the Ultimate Member Password Reset Form is activated, and the plugin settings permit access without phone-based verification.

Affected Version(s)

miniOrange OTP Login, Verification and SMS Notifications 0 <= 5.5.1

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Khaled Alenazi (Nxploited)
.