CVE-2025-9967 is a critical vulnerability classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) affecting the Orion SMS OTP Verification plugin for WordPress, developed by gsayed786. The vulnerability exists in all plugin versions up to and including 1.1.7. The core issue is that the plugin does not adequately verify a user's identity before allowing a password update, enabling unauthenticated attackers to reset any user's password to a one-time password (OTP) if the attacker knows the victim’s phone number. This bypasses the intended authentication mechanism, which relies on SMS OTP verification, effectively allowing privilege escalation and account takeover without requiring any authentication or user interaction. The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical severity, with attack vector being network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact includes full compromise of user accounts, leading to potential data theft, site defacement, or further lateral movement within the WordPress environment. No patches or official fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was reserved on September 3, 2025, and published on October 15, 2025. Given the widespread use of WordPress and the popularity of SMS OTP plugins for two-factor authentication, this vulnerability poses a significant risk to websites relying on this plugin for user authentication and password management.

The impact of CVE-2025-9967 is severe for organizations using the Orion SMS OTP Verification plugin on WordPress sites. Successful exploitation allows attackers to reset passwords of arbitrary users without authentication, leading to full account takeover. This compromises the confidentiality of user data, integrity of website content, and availability of services if attackers deface or lock out legitimate users. Attackers could leverage compromised accounts to escalate privileges, deploy malware, steal sensitive information, or disrupt business operations. Organizations relying on SMS OTP for authentication face a direct bypass of their security controls, undermining trust in multi-factor authentication mechanisms. The vulnerability affects all users of the plugin globally, especially those with high-value accounts or administrative privileges. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated attacks and mass exploitation once public exploit code becomes available. This could lead to widespread compromise of WordPress sites, impacting e-commerce, government, education, and other sectors heavily dependent on WordPress for their web presence.

Until an official patch is released, organizations should implement immediate mitigations to reduce risk. These include disabling the Orion SMS OTP Verification plugin entirely if feasible or replacing it with a more secure multi-factor authentication solution. Restrict access to password reset functionality by implementing additional verification steps outside the plugin, such as email confirmation or security questions. Monitor logs for suspicious password reset attempts, especially those involving known phone numbers. Limit exposure by restricting access to the WordPress admin interface via IP whitelisting or VPN. Educate users to report unexpected password reset notifications promptly. Once a patch is available, apply it immediately and verify the plugin version is updated beyond 1.1.7. Conduct a thorough audit of user accounts for unauthorized changes and enforce password resets for all users post-remediation. Consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting this vulnerability. Regularly review plugin security advisories and maintain an inventory of third-party plugins to quickly respond to future vulnerabilities.