CVE-2025-7692 affects the Orion Login with SMS plugin for WordPress, specifically all versions up to and including 1.0.5. The vulnerability is categorized under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The root cause is the olws_handle_verify_phone() function's flawed OTP implementation: it uses a weak OTP value, exposes the hash required to generate the OTP, and imposes no restrictions on the number of OTP submission attempts. This combination allows an attacker who knows a victim's phone number to brute force or predict the OTP, bypassing authentication without any credentials or prior access. The attacker can then log in as the victim, including users with administrative privileges, leading to full system compromise. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, high attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, but the vulnerability is published and should be considered critical for affected sites.

The impact of this vulnerability is severe for organizations using the Orion Login with SMS plugin. Successful exploitation allows attackers to bypass authentication controls entirely, gaining unauthorized access to user accounts, including administrators. This can lead to full site compromise, data theft, defacement, installation of backdoors, or pivoting to other systems within the network. The lack of rate limiting increases the feasibility of brute force attacks on OTPs. Since WordPress powers a significant portion of websites globally, any site using this plugin is at risk. Compromise of administrative accounts can disrupt business operations, damage reputation, and lead to regulatory penalties if sensitive data is exposed. The vulnerability also undermines trust in SMS-based two-factor authentication mechanisms, which are widely used. Organizations with high-value WordPress deployments, especially those relying on SMS login plugins, face elevated risk of targeted or opportunistic attacks.

To mitigate this vulnerability, organizations should immediately update the Orion Login with SMS plugin to a patched version once released by the vendor. Until a patch is available, consider disabling the plugin or replacing it with a more secure multi-factor authentication solution that uses strong OTP generation and enforces rate limiting. Implement additional protective controls such as web application firewalls (WAFs) to detect and block repeated OTP submission attempts. Monitor authentication logs for suspicious activity, especially multiple failed OTP attempts or logins from unusual IP addresses. Enforce strong password policies and consider alternative second-factor methods like authenticator apps or hardware tokens. Educate users about the risks of SMS-based authentication and encourage use of more secure methods. Regularly audit WordPress plugins for vulnerabilities and remove unused or unmaintained plugins to reduce attack surface.