Skip to main content
CVE Vulnerability Database

CVE-2025-7692: Orion Login with SMS Auth Bypass Flaw

CVE-2025-7692 is an authentication bypass vulnerability in the Orion Login with SMS WordPress plugin that allows attackers to log in as any user with weak OTP validation. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-7692 Overview

CVE-2025-7692 is an authentication bypass vulnerability in the Orion Login with SMS plugin for WordPress, affecting all versions up to and including 1.0.5. The flaw resides in the olws_handle_verify_phone() function, which generates a weak one-time password (OTP), exposes the hash used to derive the OTP, and fails to limit verification attempts. Unauthenticated attackers who know a target user's phone number can brute force or compute the OTP and authenticate as any user, including administrators. The weakness is classified under [CWE-288: Authentication Bypass Using an Alternate Path or Channel].

Critical Impact

Unauthenticated attackers with knowledge of a registered phone number can log in as administrators, leading to full WordPress site compromise.

Affected Products

  • Orion Login with SMS plugin for WordPress, all versions through 1.0.5
  • WordPress sites with the plugin enabled for SMS-based authentication
  • Administrator accounts that have a phone number registered for SMS login

Discovery Timeline

  • 2025-07-22 - CVE-2025-7692 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7692

Vulnerability Analysis

The Orion Login with SMS plugin implements phone-number-based authentication by issuing an OTP that users submit to verify identity. The olws_handle_verify_phone() function contains three compounding weaknesses that together break the authentication boundary. The OTP value lacks sufficient entropy, the hash material used to derive the OTP is exposed to the client, and no rate limiting or attempt cap is enforced on submission.

Any one of these issues alone would weaken the control. Combined, they allow an unauthenticated attacker to bypass SMS verification entirely by either reconstructing the OTP from the exposed hash or by submitting candidate values until the correct one is accepted. Successful exploitation logs the attacker in as the targeted user account.

Root Cause

The root cause is improper design of the OTP verification workflow. The plugin trusts client-supplied data, leaks server-side secrets needed to compute the OTP, and omits server-side enforcement of submission limits. This maps to [CWE-288], where an alternate authentication channel (SMS) bypasses the standard credential check.

Attack Vector

Exploitation occurs over the network against the plugin's verification endpoint. The attacker must know the target user's phone number, which raises attack complexity but is often discoverable through public profiles, breached datasets, or organizational directories. No prior authentication or user interaction is required. Once a valid OTP is guessed or computed, the attacker receives an authenticated session for the target account.

Verified exploit code is not publicly available at this time. Refer to the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-7692

Indicators of Compromise

  • High volume of POST requests to the plugin's phone verification endpoint from a single source IP within a short window
  • Successful WordPress login events for administrator accounts that immediately follow repeated OTP verification attempts
  • Unexpected new administrator accounts, modified user roles, or plugin/theme installations following SMS login activity

Detection Strategies

  • Inspect WordPress access logs for repeated requests to olws_handle_verify_phone or related AJAX actions exposed by the orion-login-with-sms plugin
  • Correlate failed OTP submissions with subsequent successful authentications for the same user account
  • Alert on administrator session creation originating from IP addresses or geolocations that deviate from historical baselines

Monitoring Recommendations

  • Enable WordPress audit logging to capture authentication events, role changes, and plugin configuration modifications
  • Forward web server and WordPress logs into a centralized data lake to support correlation across endpoints, identity, and web tiers
  • Monitor outbound activity from the WordPress host for indicators of post-exploitation behavior such as webshell drops or credential dumping

How to Mitigate CVE-2025-7692

Immediate Actions Required

  • Disable or remove the Orion Login with SMS plugin until a patched version is verified to be installed
  • Audit all WordPress administrator and editor accounts for unauthorized changes, recent logins, and unfamiliar phone numbers
  • Force a password reset for all privileged accounts and invalidate active sessions

Patch Information

No fixed version is identified in the available NVD data at the time of writing. Site operators should monitor the Orion Login with SMS plugin page and the Wordfence Vulnerability Report for the release that remediates the OTP generation, hash exposure, and attempt limiting weaknesses.

Workarounds

  • Deactivate the plugin and revert to standard WordPress authentication combined with a vetted multi-factor authentication solution
  • Restrict access to wp-admin and the plugin's AJAX endpoints by source IP using web server access controls or a web application firewall
  • Apply WAF rules that rate limit requests to the OTP verification endpoint and block clients exceeding reasonable thresholds
bash
# Example: rate limit OTP verification requests in nginx
limit_req_zone $binary_remote_addr zone=otp_verify:10m rate=5r/m;

location = /wp-admin/admin-ajax.php {
    limit_req zone=otp_verify burst=5 nodelay;
    include fastcgi_params;
    fastcgi_pass php-fpm;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.