CVE-2026-14245: miniOrange OTP Verification WordPress Auth Bypass
TL;DR - Critical auth bypass in miniOrange OTP Login, Verification, and SMS Notifications up to 5.5.1. - Sites using Ultimate Member password reset integration are the key exposure case. - Upgrade immediately to 5.5.2 and review password reset and admin activity logs.
Vulnerability at a Glance
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14245 |
| CVSS score | 9.8 (Critical) |
| Attack vector | Network |
| Privileges required | None |
| Patch available | Yes, likely fixed in 5.5.2 |
This is a critical authentication bypass in the miniOrange OTP Login, Verification, and SMS Notifications plugin for WordPress. According to the NVD description, the flaw allows an unauthenticated attacker to obtain a valid password reset URL for an arbitrary account, including an administrator account, and then complete account takeover.
Exposure is conditional. The vulnerable path requires the Ultimate Member Password Reset Form integration to be active, and the plugin must not be configured for phone-only reset. That means not every site running the plugin is necessarily exploitable through this path, but any site meeting those conditions should treat this as urgent.
What Is This Vulnerability?
CVE-2026-14245 is an authentication bypass caused by a broken password reset flow in the plugin’s um_reset_password_process_hook() function. Per the NVD record, the function fails to enforce server-side verification that OTP validation actually occurred. Instead, the workflow relies on a form_nonce value that is publicly exposed to unauthenticated visitors through the moumprvar JavaScript object on the Ultimate Member password reset page.
That design breaks an important security boundary. A nonce can help protect request integrity, but it is not a substitute for verifying that a user has completed a prior authentication or OTP challenge. In this case, the plugin also accepts an attacker-controlled username_b parameter, and the flow is not bound to a previously validated OTP session. As described by NVD, there is also no role restriction, so the target can be any WordPress user, including administrators.
The practical result is severe: an attacker can interact with the exposed reset flow, target a chosen username, and receive a freshly generated password reset URL in an HTTP 302 Location header. If that URL is valid and the target account is privileged, the attacker can reset the password and fully take over the site.
This is why the issue rates as a 9.8 critical vulnerability. Although the flaw sits inside a plugin integration path rather than WordPress core, the impact is direct administrative compromise without prior authentication.
Technical Notes
The NVD description specifically points to the following implementation weaknesses:
- Missing server-side OTP verification in
um_reset_password_process_hook() - Reliance on a publicly exposed
form_nonce - Attacker control over
username_b - No binding between the reset request and a validated OTP session
Reference URLs in the NVD record point to plugin source locations such as:
https://plugins.trac.wordpress.org/browser/miniorange-otp-verification/tags/5.5.0/handler/forms/class-moumpasswordreset.php#L181
Who Is Affected?
The affected product is the miniOrange OTP Login, Verification, and SMS Notifications plugin for WordPress. The vulnerable versions are all versions up to and including 5.5.1. The WordPress.org plugin listing showed 5.5.2 as the current version at the time of research, which strongly suggests that 5.5.2 contains the fix.
The most important operational detail is that exploitability depends on configuration. NVD states that exploitation requires the Ultimate Member Password Reset Form integration to be active. It also requires that the plugin is not configured for phone-only reset. If your site uses the plugin but does not use that integration path, exposure to this specific bug may be lower or absent.
From a risk management standpoint, defenders should not stop at version checking alone. They should verify whether the site uses Ultimate Member for password reset workflows and whether any reset flow exposes the moumprvar JavaScript object and accepts the vulnerable request path. Shared hosting providers, managed WordPress operators, agencies managing multiple client sites, and SMBs with customized login flows should pay close attention, since plugin-driven auth changes are easy to overlook during routine patching.
If you do not know whether the integration is enabled, assume the site is potentially exposed until you confirm otherwise. That is the safer stance when the outcome is administrator takeover.
CVSS Score Breakdown
The NVD lists a CVSS v3.x base score of 9.8, which places this issue in the Critical range. The full vector string was not included in the returned NVD record used for research, so defenders should avoid guessing at every metric value. Still, the score itself is consistent with the behavior described.
A 9.8 score generally aligns with a vulnerability that is remotely reachable over the network, requires no prior authentication, and results in severe compromise. Here, the attacker can target a high-value account and obtain a valid reset URL, leading to full account takeover. That kind of impact maps to high confidentiality, integrity, and availability consequences in practice, even if the initial flaw is “just” in a password reset mechanism.
Because the full vector string was not available in the record consulted, some score components should be described carefully rather than asserted as facts. Based on the description, defenders should assume the following likely characteristics when prioritizing response:
| CVSS Component | Assessment |
|---|---|
| Attack Vector | Network, because exploitation occurs through web requests |
| Attack Complexity | Likely low, because the flaw relies on exposed values and missing server-side checks |
| Privileges Required | None |
| User Interaction | Unknown from the source record, but the described flow does not indicate victim interaction is necessary |
| Impact | High, due to potential administrator account takeover |
In the absence of the official vector string in the retrieved NVD output, defenders should prioritize according to the confirmed facts: unauthenticated exploitation path, admin takeover, and critical base score.
Exploitation Status
At the time of writing, active exploitation in the wild is not confirmed by the sources used for this article. The CVE is not currently listed in CISA’s Known Exploited Vulnerabilities catalog, which means there is no KEV-backed confirmation of active exploitation, no CISA due date, and no required federal remediation action attached to this specific issue.
That said, not on KEV does not mean safe. Vulnerabilities in WordPress authentication and password reset flows often become attractive targets quickly because public-facing login endpoints are easy to find and mass-scan. Any flaw that enables unauthenticated admin takeover should be treated as high priority even before public exploitation is formally confirmed.
Regarding proof of concept status, no primary-source public PoC was confirmed during research. Third-party references surfaced in search results, including WPScan, Wordfence, and a GitHub Advisory page, but a verified exploit repository or vendor-authored demonstration was not established from the available primary sources.
So the current state is:
- Public PoC: Not confirmed from primary sources reviewed
- Active exploitation: Not confirmed
- CISA KEV listing: No
In operational terms, defenders should assume exploit development is plausible because the vulnerability description is detailed and references code locations. That is enough for capable attackers to reproduce the issue even without a turnkey PoC.
How to Detect It
Detection should focus on unexpected password reset initiation, 302 redirects that expose reset workflows, and changes to privileged accounts shortly after suspicious unauthenticated requests. Because the NVD description says the reset URL may be returned in a 302 Location header, reverse proxy, WAF, and web server logs may contain useful evidence.
Start by checking whether your WordPress site received bursts of requests to password reset endpoints associated with Ultimate Member and the miniOrange integration. Then correlate those requests with subsequent password change events, administrator logins from new IP addresses, or plugin/theme modifications performed by newly authenticated admin sessions.
A second detection angle is configuration validation. If the site runs miniOrange OTP Verification at version 5.5.1 or earlier, and the Ultimate Member Password Reset Form integration is enabled while phone-only reset is disabled, treat the asset as exposed and review logs retroactively.
Technical Notes
Example log hunting patterns to review in web server and proxy logs:
" 302 " AND "Location:" AND ("reset" OR "password")
"username_b=" AND ("forgot" OR "reset")
"moumprvar"
"ultimate-member" AND ("password-reset" OR "reset-password")
Example grep-based review on Apache or Nginx access logs:
grep -Ei 'username_b=|moumprvar|reset-password|password-reset' /var/log/nginx/access.log
grep ' 302 ' /var/log/nginx/access.log | grep -Ei 'reset|password'
Example Splunk query:
index=web sourcetype IN (nginx,apache)
("username_b=" OR "moumprvar" OR "reset-password" OR "password-reset")
| stats count min(_time) as firstSeen max(_time) as lastSeen by src_ip, host, uri, status, user_agent
| sort - count
Example Sigma-style logic concept for a WAF or HTTP telemetry pipeline:
title: Possible exploitation of CVE-2026-14245
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- "username_b="
cs-uri-stem|contains:
- "reset"
condition: selection
level: high
If logging is limited, pivot to WordPress-level indicators:
- Unexpected password reset emails or notifications
- New administrator sessions from unusual IPs
- Admin profile changes, email changes, or password resets without user request
- Post-compromise actions such as plugin installs, PHP file edits, or scheduled task changes
Mitigation and Patching
The safest mitigation is to upgrade the miniOrange OTP Login, Verification, and SMS Notifications plugin to version 5.5.2 or later. Based on the available data, all versions up to and including 5.5.1 are affected, and 5.5.2 is the likely fixed version shown on the WordPress.org plugin page. Because a primary vendor advisory explicitly naming the CVE was not retrieved during research, phrase the remediation internally as “upgrade to the first non-affected release currently listed.”
If you cannot patch immediately, reduce exposure by disabling the vulnerable conditions called out by NVD. Specifically, review whether the Ultimate Member Password Reset Form integration is enabled, and whether the plugin is configured in a way that allows the vulnerable reset flow. If business requirements permit, temporarily disable that integration or switch to a safer reset path until the plugin is updated.
Also assume compromise is possible if an exposed site has been internet-facing for any length of time on a vulnerable version. After patching, review administrator accounts, active sessions, password reset activity, and any persistence mechanisms such as unauthorized plugins or modified theme files.
Technical Notes
Upgrade with WP-CLI:
wp plugin list | grep miniorange-otp-verification
wp plugin update miniorange-otp-verification
wp plugin status miniorange-otp-verification
If you need to verify the installed version before and after upgrade:
wp plugin get miniorange-otp-verification --fields=name,version,status
If immediate patching is not possible, use a temporary containment approach:
wp plugin deactivate miniorange-otp-verification
Or, if business impact prevents full deactivation, disable the affected password reset integration in the WordPress admin and confirm that phone-only reset or an alternate reset workflow is enforced. Because plugin settings vary by deployment and no vendor workaround document was retrieved, defenders should validate the resulting behavior manually by confirming that unauthenticated visitors cannot access the vulnerable reset path.
Post-patch response checklist:
1. Upgrade to 5.5.2 or later.
2. Invalidate active admin sessions if feasible.
3. Reset passwords for administrator accounts.
4. Review recently added users, plugins, and theme changes.
5. Search logs for reset-related 302 responses and suspicious IPs.
6. Confirm Ultimate Member reset integration behavior after the patch.
References
The primary authoritative source for this CVE is the NVD record, which provides the vulnerability description, affected version range, severity, and code reference links. The CISA KEV catalog was also checked to verify known exploitation status.
Because direct retrieval of some WordPress Trac source links returned HTTP 403 during research, those references are included as published URLs from NVD rather than quoted source excerpts. The WordPress.org plugin page was used to verify the current available version and infer the likely fixed release.
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2026-14245
- CISA Known Exploited Vulnerabilities catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- WordPress.org plugin page: https://wordpress.org/plugins/miniorange-otp-verification/
- WordPress.org plugin page, markdown view: https://wordpress.org/plugins/miniorange-otp-verification/?output_format=md
- NVD reference to plugin source: https://plugins.trac.wordpress.org/browser/miniorange-otp-verification/tags/5.5.0/handler/forms/class-moumpasswordreset.php#L181
- NVD reference to plugin source: https://plugins.trac.wordpress.org/browser/miniorange-otp-verification/tags/5.5.0/handler/forms/class-moumpasswordreset.php#L367
- NVD reference to plugin source: https://plugins.trac.wordpress.org/browser/miniorange-otp-verification/tags/5.5.0/handler/forms/class-moumpasswordreset.php#L372
- NVD reference to plugin source: https://plugins.trac.wordpress.org/browser/miniorange-otp-verification/tags/5.5.0/handler/forms/class-moumpasswordreset.php#L98
- NVD reference to plugin source: https://plugins.trac.wordpress.org/browser/miniorange-otp-verification/tags/5.5.1/handler/forms/class-moumpasswordreset.php#L181
For further reading, you can explore the implications of authentication vulnerabilities and their mitigations in our detailed articles on what is forensic imaging and CVE-2026-11450.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.