CVE-2026-14245: Critical Authentication Bypass in miniOrange OTP Login, Verification and SMS Notifications Plugin
The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover. This vulnerability, with a CVSS score of 9.8, allows unauthenticated attackers to take control of an arbitrary Administrator account. The plugin's flawed implementation of the password reset process enables attackers to obtain a freshly generated password-reset URL for an Administrator account. Immediate patching is recommended.