The AdForest WordPress theme contains a missing authentication check (CWE-306) in the 'sb_login_user_with_otp_fun' function, which is responsible for user login via OTP. Due to improper verification, attackers can bypass authentication controls and gain unauthorized access to user accounts without credentials. This affects all versions up to and including 6.0.12. The vulnerability has a CVSS 3.1 base score of 9.8, indicating critical severity with network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

Successful exploitation allows unauthenticated attackers to log in as any user, including administrators, resulting in complete compromise of the affected WordPress site. This can lead to unauthorized data access, modification, deletion, and potential takeover of the website and its underlying infrastructure.

Patch status is not yet confirmed — no official fix or patch links are provided. Users should monitor the vendor's advisory for updates and apply any official patches once available. Until then, restrict access to the affected plugin and consider disabling it if possible to prevent exploitation.