The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Login with OTP plugin for WordPress contains a critical authentication bypass vulnerability affecting all versions up to 1.6. An incomplete patch for a previous vulnerability left the rate-limiting and lockout mechanisms only partially implemented—they protect the OTP generation process but fail to guard the OTP validation step. Combined with the absence of OTP expiration timers, attackers can systematically brute-force through the 900,000 possible 6-digit codes without facing account lockouts or throttling delays. This vulnerability directly enables unauthorized account access on any WordPress site using this plugin, potentially exposing admin accounts, user data, and site integrity to unauthenticated threat actors.
Casky's AI-driven detection framework would identify attack patterns associated with this vulnerability through behavioral analysis across multiple security skill domains. Practitioners would observe findings related to credential compromise attempts and access control failures—detecting unusual volumes of failed authentication requests from single or distributed sources, successful logins following failed OTP submissions, and absence of expected rate-limiting responses that should block rapid validation attempts. While traditional MITRE ATT&CK mapping shows no direct technique codes for this specific flaw, Casky's extended reasoning would correlate indicators with T1078 (Valid Accounts) and T1110 (Brute Force) patterns, surfacing anomalous authentication sequences that reveal exploitation attempts even when the underlying code-level vulnerability cannot be directly observed in logs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-8760. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation