Introduction
Attackers can seize control of any WordPress user account protected by the Orion SMS OTP Verification plugin if they know the associated phone number. This critical issue exposes administrative and privileged accounts to takeover, potentially resulting in full site compromise for any WordPress installation using affected plugin versions.
The Orion SMS OTP Verification plugin is a third-party WordPress extension developed by Orion Hive. It provides SMS-based one-time password (OTP) authentication and integrates with popular plugins such as Contact Form 7 and WooCommerce. While not as widely deployed as core WordPress components, it is used by organizations seeking to add SMS-based two-factor authentication to their sites. Orion Hive has released other authentication plugins, some of which have also experienced privilege escalation vulnerabilities.
Technical Information
CVE-2025-9967 is a privilege escalation and authentication bypass vulnerability in the Orion SMS OTP Verification plugin for WordPress. All versions up to and including 1.1.7 are affected. The core issue is that the plugin’s password reset mechanism does not properly validate the identity of the requester before allowing a password change.
The attack requires only knowledge of the target user’s phone number. An unauthenticated attacker can initiate a password reset for any account, and the plugin will allow the password to be set to a one-time password (OTP) without verifying that the requester is the legitimate account owner. This flaw is referenced in the plugin’s reset-password.js file, which is involved in the password reset workflow. The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
No public code snippets are available for this vulnerability. The exploit does not require authentication or user interaction, and can be performed remotely.
Affected Systems and Versions
- Orion SMS OTP Verification plugin for WordPress
- All versions up to and including 1.1.7
- Any WordPress configuration using this plugin is vulnerable if password reset via phone number is enabled
Vendor Security History
Orion Hive, the developer of this plugin, has a history of authentication-related vulnerabilities. Notably, the Orion Login with SMS plugin (a separate product) was affected by CVE-2025-7692, which also allowed authentication bypass. The recurrence of such issues suggests systemic weaknesses in the vendor’s secure development lifecycle and authentication design.