The Miniorange OTP Verification with Firebase plugin for WordPress, developed by cyberlord92, suffers from a critical authorization bypass vulnerability identified as CVE-2024-9862. This vulnerability arises from improper access control mechanisms where user-controlled keys allow bypassing authorization checks. Specifically, the plugin fails to verify the current password when processing password change requests, enabling unauthenticated attackers to arbitrarily change any user's password. The root cause is linked to CWE-639 (Authorization Bypass Through User-Controlled Key), where the plugin exposes system resources to unauthorized users due to insufficient validation of user input and access rights. This flaw affects all versions up to and including 3.6.0. Exploiting this vulnerability requires no authentication or user interaction, making it highly accessible to remote attackers. Successful exploitation can lead to full account takeover, including administrator accounts, resulting in complete compromise of the WordPress site. The vulnerability has been assigned a CVSS v3.1 base score of 9.8, indicating critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits are currently known, the high severity and ease of exploitation make it a significant threat to WordPress sites using this plugin.

The impact of CVE-2024-9862 is severe for organizations using the Miniorange OTP Verification with Firebase plugin. Attackers can gain unauthorized access to user accounts by changing passwords without authentication, potentially leading to full site compromise. Administrator accounts are at risk, which can result in attackers installing backdoors, stealing sensitive data, defacing websites, or disrupting services. This undermines confidentiality, integrity, and availability of affected WordPress sites. Given WordPress's widespread use globally, this vulnerability poses a significant risk to websites ranging from small businesses to large enterprises. The ease of exploitation and lack of required privileges mean attackers can quickly leverage this flaw for mass account takeovers or targeted attacks. Organizations relying on this plugin for OTP verification and authentication are particularly vulnerable to identity theft, data breaches, and operational disruptions.

To mitigate CVE-2024-9862, organizations should immediately update the Miniorange OTP Verification with Firebase plugin to a patched version once released by the vendor. Until a patch is available, consider disabling the plugin or replacing it with alternative OTP verification solutions that have proper authorization controls. Implement strict access controls and monitor logs for suspicious password change attempts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized password change requests targeting this plugin's endpoints. Additionally, enforce multi-factor authentication (MFA) at the WordPress login level independent of the plugin to reduce risk of account takeover. Regularly audit user accounts for unauthorized changes and maintain backups to enable recovery from compromise. Engage with the plugin vendor for timely updates and verify that future versions include robust authorization checks and password verification mechanisms.