criticalCVE-2026-14245

miniOrange OTP Login WordPress Plugin Administrator Account Takeover Vulnerability

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the `um_reset_password_process_hook()` function performing no server-side verification that the OTP validation step was completed, and relying solely on a public `form_nonce` nonce that the plugin itself emits to unauthenticated visitors via the `moumprvar` JavaScript object on the Ultimate Member password reset page, while still accepting the attacker-controlled `username_b` parameter to target any WordPress user without role restriction or any binding to a previously validated OTP session. This makes it possible for unauthenticated attackers to obtain a freshly generated password-reset URL for an arbitrary Administrator account — returned in a 302 `Location` header — and use it to take full control of that account. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the plugin to not be configured for phone-only reset.

ProductminiOrange OTP Login, Verification and SMS Notifications
CVSS9.8
EPSS0.00586
UpdatedJuly 10, 2026

Quick answer

miniOrange OTP Login, Verification and SMS Notifications should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • miniOrange OTP Login, Verification and SMS Notifications up to and including 5.5.1 with Ultimate Member Password Reset Form integration active

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

miniOrange OTP Login is affected by CVE-2026-14245. Versions up to 5.5.1 can allow unauthenticated administrator account takeover because unauthenticated attackers can obtain password-reset URLs for arbitrary administrator accounts when the Ultimate Member reset integration is vulnerable. Treat exposed sites as urgent: patch, disable the affected integration, and rotate administrator sessions.

  1. Inventory WordPress sites using miniOrange OTP Login and Ultimate Member password reset integration.
  2. Update miniOrange OTP Login beyond 5.5.1 when a fixed release is available.
  3. Disable the Ultimate Member password reset integration or phone/password reset workflow until patched.
  4. Block the vulnerable reset endpoint with a WAF rule during emergency remediation.
  5. Force logout for administrators and reset passwords for privileged accounts if exposure is suspected.
  6. Review WordPress user records, password reset logs, and admin activity for unexpected changes.
  7. Rotate application secrets, API keys, and hosting/database credentials if an administrator account may have been taken over.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm miniOrange OTP Login is no longer version 5.5.1 or older.
  • Attempt a safe password reset flow in staging without OTP validation and confirm no reset URL is issued.
  • Confirm legitimate password reset and OTP workflows still require completed server-side validation.
  • Review admin account audit logs after remediation for suspicious login or profile changes.
  • Run a Fixnx scan and verify public WordPress exposure after patching.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-14245?

miniOrange OTP Login, Verification and SMS Notifications versions listed as affected should be reviewed: miniOrange OTP Login, Verification and SMS Notifications up to and including 5.5.1 with Ultimate Member Password Reset Form integration active.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.