CVE-2026-3655 | glboy OTP Login With Phone Number OTP Verification Plugin AJAX lwp_ajax_register improper authentication (EUVD-2026-33255)

A critical authentication-bypass vulnerability (CVE-2026-3655) was disclosed in the WordPress plugin "OTP Login With Phone Number, OTP Verification" (v1.8.50–1.8.60). The plugin's AJAX handler fails to verify that the phone number returned by Firebase matches the victim's stored phone number, enabling unauthenticated remote attackers to authenticate as any user (including admins) by presenting a valid Firebase session and the victim's phone number; a CVE has been assigned and technical details are available, but no public exploit is reported.