WordPress OTP Plugin Authentication Bypass via Firebase Session

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

The OTP Login With Phone Number, OTP Verification WordPress plugin contains a critical authentication bypass vulnerability (CVE-2026-3655, CVSS 9.8) affecting versions 1.8.50 through 1.8.60. The vulnerability exists in the Firebase verification flow within the `lwp_ajax_register` AJAX handler, where the system validates that a Firebase OTP session is legitimate but fails to bind that session to the specific phone number provided in the request. An attacker can exploit this by intercepting or manipulating the authentication process—validating their own Firebase OTP session while substituting a victim's phone number, effectively logging in as that user without possessing the correct OTP. This affects any WordPress site using this plugin for phone-number-based authentication, potentially exposing millions of users to account takeover attacks.

Casky.ai's 261 matched security skills map this vulnerability to MITRE ATT&CK techniques TA0004 (Privilege Escalation) and TA0006 (Credential Access), enabling practitioners to detect attack patterns associated with this flaw. Using Claude AI with extended reasoning capabilities, the platform identifies suspicious authentication anomalies such as Firebase session tokens being reused across different phone numbers, AJAX requests to `lwp_ajax_register` lacking proper phone number validation, and successful login events where the phone number in the session doesn't match the account accessed. Practitioners would observe findings highlighting improper input validation in authentication handlers, missing cryptographic binding between session tokens and user identifiers, and unusual login patterns from single Firebase sessions authenticating multiple accounts—all indicators of exploitation attempts that precede successful account compromise.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-3655.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-3655

Casky has 261 skills that investigate the attack patterns behind CVE-2026-3655. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn