Authentication Bypass in miniOrange OTP Login Plugin for WordPress
CVE-2026-14245
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-14245?
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is susceptible to an Authentication Bypass vulnerability. This flaw allows unauthenticated attackers to exploit the um_reset_password_process_hook() function, which lacks server-side verification for the OTP validation step. Instead, it solely depends on a publicly exposed form_nonce nonce, allowing unauthenticated visitors access to it. Attackers can send a request with a targeted username_b parameter, enabling them to retrieve a password-reset URL for any Administrator account. This exploit occurs if the Ultimate Member Password Reset Form is activated, and the plugin settings permit access without phone-based verification.
Affected Version(s)
miniOrange OTP Login, Verification and SMS Notifications 0 <= 5.5.1