Orion Login with SMS WordPress Plugin Authentication Bypass Vulnerability

Vulnerability

An authentication bypass vulnerability has been identified in the Orion Login with SMS plugin for WordPress, affecting all versions through 1.0.5. The issue arises because the olws_handle_verify_phone() function uses a weak one-time password (OTP) mechanism, exposing the hash required to generate the OTP. Additionally, there are no limitations on the number of attempts to submit the verification code. This vulnerability allows unauthenticated attackers to log in as other users, including administrators, if they can access the user's phone number.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to log in as other users, including administrators.

Added: Jul 22, 2025, 10:17 AM

Updated: Jul 22, 2025, 1:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Orion Login with SMS WordPress Plugin Authentication Bypass Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating