External risk intelligence

miniOrange OTP Login Plugin Authentication Bypass Administrator Account Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-14245

The vulnerability exists in a WordPress plugin that modifies the authentication and password reset flow of a website. Because WordPress sites are commonly deployed as internet-facing web applications accessible to the public, and this functionality is intended to be reachable by users performing password resets, the vulnerable surface is commonly internet-facing.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a WordPress plugin that handles OTP login and verification. The flaw allows unauthenticated attackers to bypass security measures and take over administrator accounts, posing a significant risk to website security. This is due to a lack of proper server-side verification during the password reset process, enabling attackers to target any user.

  • Bypass password reset to gain admin access.
  • Impacts website security and user accounts.
  • Confirm relevance and exposure of the plugin.

Attack Path

How an attacker could exploit the issue

An attacker can bypass authentication to take over an administrator account on a WordPress site. This is possible if the site uses the miniOrange OTP plugin and has the Ultimate Member password reset form enabled, provided phone-only reset is not configured. The attacker can then target any user, including administrators, by exploiting a weakness in how the password reset process verifies OTP validation.

  • No prior access required.
  • Triggered via password reset form.
  • Administrator account takeover risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthenticated attackers to bypass verification steps and take over administrator accounts on a WordPress site. This can occur when the Ultimate Member password reset form is active and the plugin is not configured for phone-only resets, potentially leading to unauthorized access and control of the website.

  • Administrator account credentials.
  • Exploitation via password reset forms.
  • Full website control by attackers.

Operational Fix

Recommended remediation, mitigation, and detection steps

The WordPress administrator responsible for the website utilizing the miniOrange OTP plugin should prioritize identifying all instances of this plugin. Next, confirm if the password reset functionality is active and if the plugin is configured for phone-only resets, as these are prerequisites for exploitation. Finally, plan remediation based on the confirmed exposure and business criticality.

  • WordPress site administrators own this issue.
  • Verify password reset functionality is active.
  • Plan remediation based on exposure and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the miniOrange OTP Login, Verification and SMS Notifications plugin?

This WordPress plugin adds multi-factor authentication and SMS-based verification to login and password reset flows. It is commonly used by site administrators to enhance security for user accounts, including subscribers, customers, and administrative staff, by requiring a one-time passcode (OTP) during sensitive authentication actions.

What does CWE-862 mean for CVE-2026-14245?

CWE-862 refers to a Missing Authorization vulnerability. In this specific case, the plugin fails to perform a necessary security check during the password reset process. Because the server does not verify that a valid OTP was actually entered, it incorrectly assumes the reset request is legitimate, allowing an unauthenticated user to proceed as if they had successfully authenticated.

How can an attacker trigger this vulnerability?

An attacker targets the site's password reset form. Exploitation occurs when the Ultimate Member integration is active, as the plugin relies on a public nonce and fails to bind the reset request to a specific, validated OTP session. The vulnerability does not trigger if the plugin is strictly configured for phone-only resets, as this configuration restricts the specific codepath susceptible to this bypass.

Is my website at risk if it runs this plugin?

According to Halo Surface Signal, this vulnerability is classified as likely to be exposed because the plugin modifies password reset flows on internet-facing WordPress sites. If your site allows public access to the Ultimate Member password reset form, the functionality required for this bypass is reachable by anyone on the internet, significantly increasing the likelihood of risk.

What should I do first to address CVE-2026-14245?

Identify if your WordPress installation uses the miniOrange plugin and confirm if the Ultimate Member integration is currently enabled. Since the flaw requires this integration and a specific configuration, verifying your current plugin settings is the immediate priority. Once you have a clear picture of your site's configuration, you can determine the urgency of updating the plugin or temporarily disabling the affected features.

References