CVE-2026-14245
Last modified
CVE-2026-14245 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the `um_reset_password_process_hook()` function performing no server-side verification that the OTP validation step was completed, and relying solely on a public `form_nonce` nonce that the plugin itself emits to unauthenticated visitors via the `moumprvar` JavaScript object on the Ultimate Member password reset page, while still accepting the attacker-controlled `username_b` parameter to target any WordPress user without role restriction or any binding to a previously validated OTP session. EPSS estimates a 0.59% chance of exploitation in the next 30 days.
Description
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the `um_reset_password_process_hook()` function performing no server-side verification that the OTP validation step was completed, and relying solely on a public `form_nonce` nonce that the plugin itself emits to unauthenticated visitors via the `moumprvar` JavaScript object on the Ultimate Member password reset page, while still accepting the attacker-controlled `username_b` parameter to target any WordPress user without role restriction or any binding to a previously validated OTP session. This makes it possible for unauthenticated attackers to obtain a freshly generated password-reset URL for an arbitrary Administrator account — returned in a 302 `Location` header — and use it to take full control of that account. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the plugin to not be configured for phone-only reset.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
Source: CNA advisory (CVE.org). NVD analysis pending.
| Vendor | Product | Versions |
|---|---|---|
| cyberlord92 | miniOrange OTP Login, Verification and SMS Notifications | <= 5.5.1 |
References
Timeline
- Published
- Last Modified
- Status
- Deferred
Frequently Asked Questions
What is CVE-2026-14245?
How severe is CVE-2026-14245?
How do I fix CVE-2026-14245?
Related CVEs from 2026
- CVE-2026-1421A vulnerability has been found in code-projects Online Exami…5.4
- CVE-2026-1422A vulnerability was found in code-projects Online Examinatio…9.8
- CVE-2026-1423A vulnerability was determined in code-projects Online Exami…9.8
- CVE-2026-1424A vulnerability was identified in PHPGurukul News Portal 1.0…7.2
- CVE-2026-14241Memory safety bugs present in Firefox 152.0.3. Some of these…9.8
- CVE-2026-14244The Jssor Slider by jssor.com plugin for WordPress is vulner…7.5
- CVE-2026-14249The Request a Quote plugin for WordPress is vulnerable to Co…7.5
- CVE-2026-1425A security flaw has been discovered in pymumu SmartDNS up to…6.3
- CVE-2026-14250The Themehunk Login Registration plugin for WordPress is vul…6.3
- CVE-2026-14258A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router …6.5
- CVE-2026-1426The Advanced AJAX Product Filters plugin for WordPress is vu…8.8
- CVE-2026-14261A vulnerability in the Xerte Online Tools allows for authent…9.1
Are you affected by CVE-2026-14245?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
