The vulnerability in the glboy OTP Login With Phone Number, OTP Verification plugin stems from improper authentication (CWE-287) due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number in the request. The function `idehweb_lwp_activate_through_firebase()` validates the Firebase OTP session but does not verify that the phone number returned by Firebase matches the victim's stored phone number. This allows unauthenticated attackers to bypass authentication by verifying their own Firebase session and submitting the victim's phone number, effectively impersonating any user with a stored phone number, including administrators. The vulnerability affects versions 1.8.50 through 1.8.60 of the plugin. The plugin is cloud-hosted, and a patch is available to address this issue.

Successful exploitation allows unauthenticated attackers to bypass authentication controls and log in as any user with a phone number stored in user metadata, including high-privilege administrator accounts. This results in full compromise of affected WordPress sites, including confidentiality, integrity, and availability impacts as reflected by the CVSS score of 9.8.

Since the plugin is a cloud-hosted service, the vendor manages remediation server-side. A patch is available for this vulnerability. Users should ensure that their plugin version is updated beyond 1.8.60 or apply the vendor-provided fix as soon as possible. Check the vendor advisory for confirmation of patch deployment and further guidance. No additional mitigation steps are indicated by the vendor advisory.