CVE-2026-3655— OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification
Possible ATT&CK Techniques 1AI
T1078 · Valid AccountsAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| glboy | OTP Login With Phone Number, OTP Verification | 1.8.50≤ 1.8.60 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-3655
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification
Source: NVD (National Vulnerability Database)
Vulnerability Description
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| glboy | OTP Login With Phone Number, OTP Verification | 1.8.50 ~ 1.8.60 | - |
II. Public POCs for CVE-2026-3655
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-3655
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-3655 (1)
Other References for CVE-2026-3655 (1)
IV. Related Vulnerabilities
Same product: OTP Login With Phone Number, OTP Verification
- CVE-2025-8342
WooCommerce OTP Login With Phone Number, OTP Verification <= - CVE-2024-6482
Login with phone number <= 1.7.49 - Authenticated (Subscribe - CVE-2024-6125
Login with phone number <= 1.7.34 - Insecure Password Reset - CVE-2024-5150
Login with phone number <= 1.7.26 - Authentication Bypass du - CVE-2023-4916
Login with phone number <= 1.5.6 - Cross-Site Request Forger
Same vendor: glboy
- CVE-2025-8342
WooCommerce OTP Login With Phone Number, OTP Verification <= - CVE-2024-6482
Login with phone number <= 1.7.49 - Authenticated (Subscribe - CVE-2024-6125
Login with phone number <= 1.7.34 - Insecure Password Reset - CVE-2024-5150
Login with phone number <= 1.7.26 - Authentication Bypass du - CVE-2023-4916
Login with phone number <= 1.5.6 - Cross-Site Request Forger
Same weakness: CWE-287
- CVE-2026-46579
Openshift/router: openshift/router: mtls client certificate - CVE-2026-49197
Predator Connect W6x: Improper Authentication - CVE-2026-48526
PyJWT: Public-key JWK accepted as HMAC secret enables forged - CVE-2026-8979
Authentication Bypass - CVE-2026-44720
OpenLearnX: Critical Authentication Bypass via JWT Signature
V. Comments for CVE-2026-3655
No comments yet