ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-3655 Firebase OTP Authentication Bypass in WordPress OTP Login Plugin

A short review of CVE-2026-3655, a critical CVSS 9.8 authentication bypass in the WordPress OTP Login With Phone Number plugin that allows unauthenticated attackers to log in as any user, including administrators, by exploiting a missing identity binding check in the Firebase OTP verification flow.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-29

Brief Summary: CVE-2026-3655 Firebase OTP Authentication Bypass in WordPress OTP Login Plugin
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing identity binding check in the Firebase OTP verification flow of a WordPress authentication plugin means that any attacker with a Firebase account and a target's phone number can authenticate as that user, including site administrators, without ever needing their credentials. The flaw, tracked as CVE-2026-3655 and scored at CVSS 9.8, affects the "OTP Login With Phone Number, OTP Verification" plugin for WordPress in versions 1.8.50 through 1.8.60.

The OTP Login With Phone Number plugin provides phone number based login and registration for WordPress and WooCommerce sites, supporting SMS gateways including Firebase (as a free tier option), Twilio, Msg91, and WhatsApp. It has approximately 900 active installations and over 130,000 total downloads. While its install base is modest, the plugin serves a specific niche: site operators who want phone based authentication without incurring per message SMS costs, making Firebase integration its primary differentiator.

Technical Information

Root Cause: Session to Identity Decoupling

The vulnerability resides in the lwp_ajax_register AJAX handler within the ajax-handlers.php file. The Firebase OTP verification flow in this handler consists of two logically distinct steps that the plugin never binds together:

Step 1: Firebase Session Validation. The function idehweb_lwp_activate_through_firebase() (at line 649 of ajax-handlers.php) calls Firebase to validate that an OTP session is legitimate. Firebase returns a phoneNumber value representing the phone number that was actually verified through the OTP challenge.

Step 2: User Lookup by Request Parameter. Separately, at line 659, the handler reads the phoneNumber value supplied in the HTTP request body and uses it to look up a WordPress user account via the user meta table. This request supplied phone number determines which account the server will authenticate the caller as.

The critical defect is that the phoneNumber returned by Firebase (the number that was actually verified via OTP) is never compared against the phoneNumber submitted in the HTTP request (the number identifying the target user account). The authentication logic treats these as independent, uncorrelated values. Under the CWE-287 (Improper Authentication) framework, this is a textbook case where authentication proceeds despite the absence of a complete identity verification step.

This is not a subtle timing issue or a race condition. It is a straightforward architectural omission: the code validates that a Firebase session exists and is legitimate, but never validates whose phone number that session belongs to before granting access to the account associated with the request parameter.

Attack Flow

An unauthenticated attacker can exploit this vulnerability through the following sequence:

  1. Obtain a valid Firebase OTP session. The attacker initiates a legitimate Firebase OTP verification for their own phone number. They receive the OTP via SMS, enter it, and generate a valid Firebase session token. This is a completely normal, legitimate use of Firebase.

  2. Identify a target victim's phone number. The attacker determines the phone number of a target WordPress user (particularly an administrator) that is stored in the WordPress user meta table. Phone numbers may be discoverable through profile pages, data leaks, social engineering, or other reconnaissance.

  3. Submit a crafted request to lwp_ajax_register. The attacker sends an AJAX POST request to wp-admin/admin-ajax.php with action=lwp_ajax_register, including their valid Firebase session token alongside the victim's phone number as the phoneNumber parameter.

  4. Authentication bypass completes. The server calls idehweb_lwp_activate_through_firebase(), which validates the Firebase session (legitimate, because the attacker did verify their own phone). The server then looks up the WordPress user associated with the victim's phone number from the request body. Since these two values are never cross checked, the server authenticates the attacker as the victim, issuing a WordPress session for the victim's account.

The lwp_ajax_register handler is an AJAX endpoint accessible to unauthenticated users, so no prior WordPress session or any form of authentication is needed to initiate the attack. The attack requires no special tools beyond a Firebase account and the ability to craft HTTP requests.

The Fix

The patch applied in changeset 3479314 modifies ajax-handlers.php to bind the Firebase verified phone number to the request supplied phone number. In the patched version, the phoneNumber returned by Firebase is compared against the phoneNumber parameter in the request, and authentication only proceeds if they match. This eliminates the decoupling that allowed the bypass.

CVSS Vector Breakdown

The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects the most dangerous combination of attributes:

ComponentValueMeaning
Attack VectorNetworkExploitable remotely over the internet
Attack ComplexityLowNo special conditions or preparation needed
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo victim action required
Confidentiality ImpactHighFull access to victim account data
Integrity ImpactHighFull control over victim account and site content
Availability ImpactHighAttacker can lock out legitimate users or modify site

Affected Systems and Versions

The vulnerability affects the OTP Login With Phone Number, OTP Verification plugin for WordPress in versions 1.8.50 through 1.8.60 (inclusive).

Specifically, sites are vulnerable if:

  • They are running any version of the plugin from 1.8.50 to 1.8.60
  • The Firebase OTP verification flow is enabled as an authentication method
  • At least one user account (particularly an administrator) has a phone number stored in WordPress user meta

The vulnerability was patched in version 1.8.61. The current latest version is 1.8.62. The plugin requires WordPress 4.0 or higher and has been tested up to WordPress 6.8.5.

Vendor Security History

The security track record of this plugin is a significant concern for any organization evaluating its use. The Wordfence Intelligence database documents 14 vulnerabilities in this plugin since February 2022. The most severe entries are summarized below:

CVECVSSTypeAffected VersionsDateResearcher
CVE-2026-36559.8Authentication Bypass (Firebase OTP)1.8.50 to 1.8.60May 28, 2026lucky_buddy
CVE-2025-83428.1Authentication Bypass (WooCommerce OTP)Up to 1.8.47Aug 14, 2025Arkadiusz Hydzik
CVE-2024-64828.8Privilege EscalationUp to 1.7.49Sep 14, 2024Thanh Nam Tran
CVE-2024-51509.8Authentication Bypass (Empty Value)Up to 1.7.26May 28, 2024Istvan Marton
CVE-2024-61258.1Insecure Password ResetUp to 1.7.34Jun 18, 2024Istvan Marton
CVE-2024-325078.8Unauthorized Password ChangeUp to 1.7.16Apr 15, 2024Emili Castells
CVE-2022-05936.5Remote Plugin DeletionUp to 1.3.6Feb 16, 2022Michal Lipinski

Three of the 14 vulnerabilities are authentication bypass flaws classified under CWE-287, and the plugin has experienced at least one critical or high severity vulnerability every year since 2022. The pattern is instructive: CVE-2024-5150 was a missing empty value check, CVE-2025-8342 involved OTP generation not bound to user identity, and CVE-2026-3655 involves a Firebase session not bound to the request phone number. All three share the same underlying architectural problem where the plugin's authentication logic processes the verified credential and the claimed identity as independent, uncorrelated values.

The developer has been responsive in issuing patches for each reported flaw. However, the recurrence of the same vulnerability class across multiple code paths over two years suggests that each patch addresses the specific reported instance without a holistic security review of adjacent authentication flows. Organizations that patched CVE-2024-5150 but remained on versions 1.8.50 through 1.8.60 found themselves fully exposed again, illustrating the risk of relying on plugins with repeated authentication logic failures.

Broader Threat Context

While no confirmed active exploitation of CVE-2026-3655 has been documented as of May 29, 2026, the broader landscape for WordPress authentication bypass vulnerabilities is active. Proofpoint reports that 12 distinct 2026 CVEs are being actively exploited in network facing attacks. The Digits WordPress plugin, a comparable phone based OTP authentication plugin, had its authentication bypass actively exploited in the wild, with FortiGuard publishing an IPS signature to detect attacks. Threat actors have also exploited authentication bypasses in the Service Finder WordPress theme. Given the low attack complexity and unauthenticated access vector, rapid weaponization of CVE-2026-3655 should be expected.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization