CVE-2025-7692 Information

Jul 23, 2025 cve

Description

The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to and including 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value exposing the hash needed to generate the OTP value and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users including administrators if they have access to their phone number.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://wordpress.org/plugins/orion-login-with-sms/ https://www.wordfence.com/threat-intel/vulnerabilities/id/31a47cbd-c19b-4ac3-87ed-2d4c5c0e9cb7?source=cve

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1

CNNVD-202507-2868 (Published: 2025-07-22)

Share on: