CVE-2024-11178: CWE-288 Authentication Bypass Using an Alternate Path or Channel in india-web-developer Login with OTP
The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and there’s no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email.
AI Analysis
Technical Summary
CVE-2024-11178 is an authentication bypass vulnerability in the india-web-developer Login With OTP WordPress plugin (up to version 1.4.2). The plugin generates weak 6-digit numeric OTPs without enforcing attempt or time limits, enabling attackers to brute force OTPs and gain unauthorized access to user accounts, including administrative ones, if they have access to the victim's email. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. No patch or vendor advisory has been provided to date.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and log in as any existing user on the WordPress site, including administrators, if the attacker can access the user's email. This compromises site confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to user email accounts and consider disabling the vulnerable plugin or replacing it with a more secure authentication method.
CVE-2024-11178: CWE-288 Authentication Bypass Using an Alternate Path or Channel in india-web-developer Login with OTP
Description
The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and there’s no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-11178 is an authentication bypass vulnerability in the india-web-developer Login With OTP WordPress plugin (up to version 1.4.2). The plugin generates weak 6-digit numeric OTPs without enforcing attempt or time limits, enabling attackers to brute force OTPs and gain unauthorized access to user accounts, including administrative ones, if they have access to the victim's email. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. No patch or vendor advisory has been provided to date.
Potential Impact
Successful exploitation allows an unauthenticated attacker to bypass authentication and log in as any existing user on the WordPress site, including administrators, if the attacker can access the user's email. This compromises site confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to user email accounts and consider disabling the vulnerable plugin or replacing it with a more secure authentication method.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-13T13:33:17.977Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e07b7ef31ef0b593e4e
Added to database: 2/25/2026, 9:47:51 PM
Last enriched: 4/9/2026, 5:56:20 AM
Last updated: 4/12/2026, 4:34:44 AM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.