How is CVE-2026-3655 exploited?

Network reachability (required): The attacker must reach the WordPress site's AJAX endpoint over the network, which for typical deployments means any internet-exposed host. Authentication (not-required): No account or session is needed; the `lwp_ajax_register` handler is reachable unauthenticated. Victim interaction (not-required): The attacker verifies their own Firebase OTP session, so no action by the victim user is required. Attack complexity (info): AC:L: the exploit is reliable, requiring only a valid Firebase session and the victim's stored phone number in the request body.

What is the impact of CVE-2026-3655?

Logs in as any WordPress user whose phone number is stored in user meta, including administrators, with full session privileges of that account. Reads any data the impersonated account can access, including private posts, user records, and plugin-managed secrets. Modifies site content, user accounts, plugin and theme files, and WordPress options when the hijacked account has admin rights, which typically leads to full site takeover and persistent backdoors. Disrupts site availability by changing credentials, disabling plugins, or installing malicious code that breaks the front end.

Back to search

CRITICALCVE-2026-3655Published 2026-05-29Modified 2026-05-29CNA Wordfence

CVE-2026-3655: OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification

Q: What is CVE-2026-3655?

An authentication bypass affects the OTP Login With Phone Number, OTP Verification WordPress plugin in versions 1.8.50 through 1.8.60. The flaw is reachable over the network with no authentication or user interaction: the `lwp_ajax_register` handler validates that a Firebase OTP session is legitimate but never checks that the phone number returned by Firebase matches the phone number supplied in the request, so an attacker who verifies their own Firebase session can pass any victim's phone number and log in as that account, including administrators. No fix version has been published; HarborGuard tracks the advisory and will surface a patched rebuild as soon as the upstream maintainer ships one.

Q: Is CVE-2026-3655 patched?

No upstream fix is published yet, so HarborGuard re-checks the Wordfence advisory and the plugin's release feed each ingest cycle. The moment a patched plugin version ships, a rebuilt image becomes available and customers with auto-remediation enabled get the rebuild, a regression-test run, and a PR opened against affected workloads.

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass affects the OTP Login With Phone Number, OTP Verification WordPress plugin in versions 1.8.50 through 1.8.60. The flaw is reachable over the network with no authentication or user interaction: the `lwp_ajax_register` handler validates that a Firebase OTP session is legitimate but never checks that the phone number returned by Firebase matches the phone number supplied in the request, so an attacker who verifies their own Firebase session can pass any victim's phone number and log in as that account, including administrators. No fix version has been published; HarborGuard tracks the advisory and will surface a patched rebuild as soon as the upstream maintainer ships one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the Wordfence advisory ingested within minutes of publication and matched against WordPress images and plugin bundles in customer registries and build pipelines. Coverage extends to custom-built images that vendor the plugin, since matching runs on file content rather than image provenance.

Available

Triage

Triage is available with the published CVSS 3.1 score of 9.8 (critical) carried through and reweighted against each environment's compliance policy, so an internet-facing WordPress workload running this plugin escalates differently than an isolated staging image. Findings route to the inbox configured for critical authentication-bypass issues inside each customer org.

Available

Patch

No upstream fix is published yet, so HarborGuard re-checks the Wordfence advisory and the plugin's release feed each ingest cycle. The moment a patched plugin version ships, a rebuilt image becomes available and customers with auto-remediation enabled get the rebuild, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site's AJAX endpoint over the network, which for typical deployments means any internet-exposed host.
AuthenticationNot required
No account or session is needed; the `lwp_ajax_register` handler is reachable unauthenticated.
Victim interactionNot required
The attacker verifies their own Firebase OTP session, so no action by the victim user is required.
Attack complexityDetail
AC:L: the exploit is reliable, requiring only a valid Firebase session and the victim's stored phone number in the request body.

Blast Radius

Logs in as any WordPress user whose phone number is stored in user meta, including administrators, with full session privileges of that account.
Reads any data the impersonated account can access, including private posts, user records, and plugin-managed secrets.
Modifies site content, user accounts, plugin and theme files, and WordPress options when the hijacked account has admin rights, which typically leads to full site takeover and persistent backdoors.
Disrupts site availability by changing credentials, disabling plugins, or installing malicious code that breaks the front end.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Wordfence advisory and the glboy plugin release feed, with the critical-severity finding surfaced against any image that vendors versions 1.8.50 through 1.8.60. Until an upstream fix ships, compensating controls worth applying include restricting access to `/wp-admin/admin-ajax.php` at the edge for unauthenticated callers where feasible, removing or replacing the plugin, clearing stored phone numbers from administrator accounts, and adding a WAF rule that blocks `action=lwp_ajax_register` requests whose Firebase session phone number does not match the submitted phone number. The moment a patched plugin version is published, a rebuilt image becomes available on HarborGuard and environments with auto-remediation enabled receive a rebuild, regression run, and merge-ready PR against affected workloads.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

glboy / OTP Login With Phone Number, OTP Verification
≤ 1.8.60

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References