CVE-2025-7692

HIGH 8.1

Orion Login with SMS <= 1.0.5 - Authentication Bypass via Weak OTP

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number.

CWE	CWE-288
Vendor	gsayed786
Product	orion login with sms
Published	Jul 22, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for gsayed786 orion login with sms

Be the first to know when new high vulnerabilities affecting gsayed786 orion login with sms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

gsayed786 / Orion Login with SMS

0 ≤ 1.0.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/31a47cbd-c19b-4ac3-87ed-2d4c5c0e9cb7?source=cve wordpress.org: https://wordpress.org/plugins/orion-login-with-sms/

Credits

Kenneth Dunn