CVE-2025-7692 Overview
CVE-2025-7692 is an authentication bypass vulnerability in the Orion Login with SMS plugin for WordPress, affecting all versions up to and including 1.0.5. The flaw resides in the olws_handle_verify_phone() function, which generates a weak one-time password (OTP), exposes the hash used to derive the OTP, and fails to limit verification attempts. Unauthenticated attackers who know a target user's phone number can brute force or compute the OTP and authenticate as any user, including administrators. The weakness is classified under [CWE-288: Authentication Bypass Using an Alternate Path or Channel].
Critical Impact
Unauthenticated attackers with knowledge of a registered phone number can log in as administrators, leading to full WordPress site compromise.
Affected Products
- Orion Login with SMS plugin for WordPress, all versions through 1.0.5
- WordPress sites with the plugin enabled for SMS-based authentication
- Administrator accounts that have a phone number registered for SMS login
Discovery Timeline
- 2025-07-22 - CVE-2025-7692 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7692
Vulnerability Analysis
The Orion Login with SMS plugin implements phone-number-based authentication by issuing an OTP that users submit to verify identity. The olws_handle_verify_phone() function contains three compounding weaknesses that together break the authentication boundary. The OTP value lacks sufficient entropy, the hash material used to derive the OTP is exposed to the client, and no rate limiting or attempt cap is enforced on submission.
Any one of these issues alone would weaken the control. Combined, they allow an unauthenticated attacker to bypass SMS verification entirely by either reconstructing the OTP from the exposed hash or by submitting candidate values until the correct one is accepted. Successful exploitation logs the attacker in as the targeted user account.
Root Cause
The root cause is improper design of the OTP verification workflow. The plugin trusts client-supplied data, leaks server-side secrets needed to compute the OTP, and omits server-side enforcement of submission limits. This maps to [CWE-288], where an alternate authentication channel (SMS) bypasses the standard credential check.
Attack Vector
Exploitation occurs over the network against the plugin's verification endpoint. The attacker must know the target user's phone number, which raises attack complexity but is often discoverable through public profiles, breached datasets, or organizational directories. No prior authentication or user interaction is required. Once a valid OTP is guessed or computed, the attacker receives an authenticated session for the target account.
Verified exploit code is not publicly available at this time. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-7692
Indicators of Compromise
- High volume of POST requests to the plugin's phone verification endpoint from a single source IP within a short window
- Successful WordPress login events for administrator accounts that immediately follow repeated OTP verification attempts
- Unexpected new administrator accounts, modified user roles, or plugin/theme installations following SMS login activity
Detection Strategies
- Inspect WordPress access logs for repeated requests to olws_handle_verify_phone or related AJAX actions exposed by the orion-login-with-sms plugin
- Correlate failed OTP submissions with subsequent successful authentications for the same user account
- Alert on administrator session creation originating from IP addresses or geolocations that deviate from historical baselines
Monitoring Recommendations
- Enable WordPress audit logging to capture authentication events, role changes, and plugin configuration modifications
- Forward web server and WordPress logs into a centralized data lake to support correlation across endpoints, identity, and web tiers
- Monitor outbound activity from the WordPress host for indicators of post-exploitation behavior such as webshell drops or credential dumping
How to Mitigate CVE-2025-7692
Immediate Actions Required
- Disable or remove the Orion Login with SMS plugin until a patched version is verified to be installed
- Audit all WordPress administrator and editor accounts for unauthorized changes, recent logins, and unfamiliar phone numbers
- Force a password reset for all privileged accounts and invalidate active sessions
Patch Information
No fixed version is identified in the available NVD data at the time of writing. Site operators should monitor the Orion Login with SMS plugin page and the Wordfence Vulnerability Report for the release that remediates the OTP generation, hash exposure, and attempt limiting weaknesses.
Workarounds
- Deactivate the plugin and revert to standard WordPress authentication combined with a vetted multi-factor authentication solution
- Restrict access to wp-admin and the plugin's AJAX endpoints by source IP using web server access controls or a web application firewall
- Apply WAF rules that rate limit requests to the OTP verification endpoint and block clients exceeding reasonable thresholds
# Example: rate limit OTP verification requests in nginx
limit_req_zone $binary_remote_addr zone=otp_verify:10m rate=5r/m;
location = /wp-admin/admin-ajax.php {
limit_req zone=otp_verify burst=5 nodelay;
include fastcgi_params;
fastcgi_pass php-fpm;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
