WP-Safety

OTP Login With Phone Number, OTP Verification Security & Risk Analysis

wordpress.org/plugins/login-with-phone-number

OTP login with phone, SMS, or WhatsApp. OTP verification for WordPress & WooCommerce using custom gateways. GDPR-compliant. Login with otp

1K active installs v1.8.61 PHP + WP 4.0+ Updated Mar 10, 2026
loginotpphonesmswoocommerce
86
A · Safe
CVEs total13
Unpatched0
Last CVEAug 14, 2025
Plugin page Download
Safety Verdict

Is OTP Login With Phone Number, OTP Verification Safe to Use in 2026?

Generally Safe

Score 86/100

OTP Login With Phone Number, OTP Verification has a strong security track record. Known vulnerabilities have been patched promptly.

13 known CVEsLast CVE: Aug 14, 2025Updated 24d ago
Risk Assessment

The 'login-with-phone-number' plugin, version 1.8.61, presents a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a relatively high percentage of properly escaped output, significant concerns exist regarding its attack surface and historical vulnerability profile.

The static analysis reveals a large number of AJAX handlers (26) that lack authentication checks, creating a substantial unprotected attack surface. This is a critical weakness as it could allow unauthenticated users to trigger potentially sensitive actions. Taint analysis did not reveal any immediate vulnerabilities, which is positive, but the lack of flows analyzed or unsanitized paths might indicate limited depth in the analysis or a lack of complex data handling that could be exploited.

The plugin's vulnerability history is alarming, with a total of 13 known CVEs, including one critical and five high-severity vulnerabilities. The variety of past vulnerability types, such as improper privilege management, XSS, authentication bypass, and CSRF, indicates recurring security flaws. The fact that all previous vulnerabilities are listed as patched (zero currently unpatched) is a mitigating factor, but the sheer volume and nature of past issues suggest a pattern of weak security implementation that requires ongoing vigilance. The most recent vulnerability being in the past is also a positive sign. Overall, the plugin has areas of strength but the extensive unprotected entry points and a history of severe vulnerabilities necessitate caution.

Key Concerns

  • 26 unprotected AJAX handlers
  • 13 known CVEs (1 critical, 5 high)
  • Large attack surface without auth checks
  • Vulnerability history indicates recurring flaws
  • Bundled library: Select2 (potential outdatedness)
Vulnerabilities
13

OTP Login With Phone Number, OTP Verification Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
2 CVEs in 2023
2023
8 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
5
Medium
7

13 total CVEs

CVE-2025-8342high · 8.1Missing Authorization

WooCommerce OTP Login With Phone Number, OTP Verification <= 1.8.47 - Authentication Bypass

Aug 14, 2025 Patched in 1.8.48 (1d)
CVE-2024-6482high · 8.8Improper Privilege Management

Login with phone number <= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation

Sep 14, 2024 Patched in 1.7.50 (1d)
CVE-2024-37429medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login with phone number <= 1.7.35 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 28, 2024 Patched in 1.7.36 (5d)
CVE-2024-6125high · 8.1Weak Password Recovery Mechanism for Forgotten Password

Login with phone number <= 1.7.34 - Insecure Password Reset Mechanism

Jun 18, 2024 Patched in 1.7.35 (1d)
CVE-2024-5150critical · 9.8Authentication Bypass Using an Alternate Path or Channel

Login with phone number <= 1.7.26 - Authentication Bypass due to Missing Empty Value Check

May 28, 2024 Patched in 1.7.27 (1d)
CVE-2024-34371medium · 4.3Missing Authorization

Login with phone number <= 1.7.18 - Missing Authorization

May 3, 2024 Patched in 1.7.20 (5d)
CVE-2024-32832medium · 5.3Missing Authorization

Login with phone number <= 1.6.93 - Missing Authorization

Apr 22, 2024 Patched in 1.6.94 (8d)
CVE-2024-32507high · 8.8Authorization Bypass Through User-Controlled Key

Login with phone number <= 1.7.16 - Unauthorized Account Password Change to Privilege Escalation

Apr 15, 2024 Patched in 1.7.17 (11d)
CVE-2024-31424medium · 4.3Cross-Site Request Forgery (CSRF)

Login with phone number <= 1.6.93 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 1.6.94 (7d)
CVE-2023-4916high · 8.8Cross-Site Request Forgery (CSRF)

Login with phone number <= 1.5.6 - Cross-Site Request Forgery to User Password Change

Sep 12, 2023 Patched in 1.5.7 (133d)
CVE-2023-23492medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login with phone number <= 1.4.2 - Reflected Cross-Site Scripting

Jan 12, 2023 Patched in 1.4.2 (376d)
CVE-2022-0598medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Login with phone number <= 1.3.7 - Authenticated (Admin+) Stored Cross-Site Scripting

Jul 5, 2022 Patched in 1.3.8 (567d)
CVE-2022-0593medium · 6.5External Control of File Name or Path

Login with phone number <= 1.3.6 - Unauthenticated Remote Plugin Deletion

Feb 16, 2022 Patched in 1.3.7 (706d)
Code Analysis
Analyzed Mar 16, 2026

OTP Login With Phone Number, OTP Verification Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
117
318 escaped
Nonce Checks
16
Capability Checks
1
File Operations
0
External Requests
5
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

100% prepared1 total queries

Output Escaping

73% escaped435 total outputs
Attack Surface
26 unprotected

OTP Login With Phone Number, OTP Verification Attack Surface

Entry Points29
Unprotected26

AJAX Handlers 26

authwp_ajax_lwp_media_get_imagelogin-with-phonenumber.php:45
authwp_ajax_idehweb_lwp_merge_old_woocommerce_userslogin-with-phonenumber.php:58
authwp_ajax_idehweb_lwp_auth_customerlogin-with-phonenumber.php:59
authwp_ajax_idehweb_lwp_auth_customer_with_websitelogin-with-phonenumber.php:60
authwp_ajax_idehweb_lwp_activate_customerlogin-with-phonenumber.php:61
authwp_ajax_idehweb_lwp_check_creditlogin-with-phonenumber.php:62
authwp_ajax_idehweb_lwp_get_shoplogin-with-phonenumber.php:63
authwp_ajax_lwp_ajax_loginlogin-with-phonenumber.php:64
authwp_ajax_lwp_update_password_actionlogin-with-phonenumber.php:65
authwp_ajax_lwp_enter_password_actionlogin-with-phonenumber.php:66
authwp_ajax_lwp_ajax_login_with_emaillogin-with-phonenumber.php:67
authwp_ajax_lwp_ajax_verify_with_emaillogin-with-phonenumber.php:68
authwp_ajax_lwp_ajax_registerlogin-with-phonenumber.php:69
authwp_ajax_lwp_activate_emaillogin-with-phonenumber.php:70
authwp_ajax_lwp_forgot_passwordlogin-with-phonenumber.php:71
authwp_ajax_lwp_verify_domainlogin-with-phonenumber.php:72
noprivwp_ajax_lwp_verify_domainlogin-with-phonenumber.php:73
noprivwp_ajax_lwp_ajax_loginlogin-with-phonenumber.php:74
noprivwp_ajax_lwp_ajax_login_with_emaillogin-with-phonenumber.php:75
noprivwp_ajax_lwp_ajax_verify_with_emaillogin-with-phonenumber.php:76
noprivwp_ajax_lwp_ajax_registerlogin-with-phonenumber.php:77
noprivwp_ajax_lwp_activate_emaillogin-with-phonenumber.php:78
noprivwp_ajax_lwp_update_password_actionlogin-with-phonenumber.php:79
noprivwp_ajax_lwp_enter_password_actionlogin-with-phonenumber.php:80
noprivwp_ajax_lwp_forgot_passwordlogin-with-phonenumber.php:81
authwp_ajax_lwp_set_countrieslogin-with-phonenumber.php:82

Shortcodes 3

[idehweb_lwp] login-with-phonenumber.php:86
[idehweb_lwp_metas] login-with-phonenumber.php:87
[idehweb_lwp_verify_email] login-with-phonenumber.php:88
WordPress Hooks 31
actionidehweb_custom_fieldsgateways\lwp-drpayamak\lwp-drpayamak.php:6
filterlwp_add_to_default_gatewaysgateways\lwp-drpayamak\lwp-drpayamak.php:7
actionlwp_send_sms_drpayamakgateways\lwp-drpayamak\lwp-drpayamak.php:8
actionidehweb_custom_fieldsgateways\lwp-kavenegar\lwp-kavenegar.php:7
filterlwp_add_to_default_gatewaysgateways\lwp-kavenegar\lwp-kavenegar.php:8
actionlwp_send_sms_kavenegargateways\lwp-kavenegar\lwp-kavenegar.php:9
actionwoodmart_before_wp_footerinc\frontend-functions.php:25
actioninitlogin-with-phonenumber.php:39
actionadmin_initlogin-with-phonenumber.php:40
actionadmin_menulogin-with-phonenumber.php:41
actionadmin_footerlogin-with-phonenumber.php:42
actionadmin_noticeslogin-with-phonenumber.php:43
actionadmin_enqueue_scriptslogin-with-phonenumber.php:44
filterbody_classlogin-with-phonenumber.php:46
actionwp_enqueue_scriptslogin-with-phonenumber.php:48
actionshow_user_profilelogin-with-phonenumber.php:49
actionedit_user_profilelogin-with-phonenumber.php:50
actionpersonal_options_updatelogin-with-phonenumber.php:51
actionedit_user_profile_updatelogin-with-phonenumber.php:52
actionwp_headlogin-with-phonenumber.php:53
actionpre_user_querylogin-with-phonenumber.php:54
actionwp_footerlogin-with-phonenumber.php:55
actionwoodmart_before_wp_footerlogin-with-phonenumber.php:56
actionactivated_pluginlogin-with-phonenumber.php:84
actionset_logged_in_cookielogin-with-phonenumber.php:89
filtermanage_users_columnslogin-with-phonenumber.php:91
filtermanage_users_custom_columnlogin-with-phonenumber.php:92
filtermanage_users_sortable_columnslogin-with-phonenumber.php:93
filterwoocommerce_locate_templatelogin-with-phonenumber.php:94
filterlearn-press/override-templateslogin-with-phonenumber.php:95
filterlearn_press_locate_templatelogin-with-phonenumber.php:98
Maintenance & Trust

OTP Login With Phone Number, OTP Verification Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMar 10, 2026
PHP min version
Downloads127K

Community Trust

Rating98/100
Number of ratings79
Active installs1K
Alternatives

OTP Login With Phone Number, OTP Verification Alternatives

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce

wp-sms

A
95

Send SMS/MMS notifications, OTP & 2FA messages, and WooCommerce updates with support for multiple gateways and plugin integrations.

9K 15 CVEs
miniOrange OTP Login, Verification and SMS Notifications

miniOrange OTP Login, Verification and SMS Notifications

miniorange-otp-verification

A
100

OTP Verification via Email/SMS/WhatsApp,SMS Notifications for WooCommerce,OTP Login with Phone,PasswordLess Login.Custom Gateway for OTP Verification

6K 1 CVE
miniOrange OTP Verification and SMS Notification for WooCommerce

miniOrange OTP Verification and SMS Notification for WooCommerce

miniorange-sms-order-notification-otp-verification

A
99

OTP Verification via SMS, Email,or WhatsApp, and SMS Order Notifications, Vendor Notifications for WooCommerce.OTP Login and registration with Phone →

100 1 CVE
Ultimate SMS Notifications – Messaging, Alerts & OTP

Ultimate SMS Notifications – Messaging, Alerts & OTP

ultimate-sms

A
100

Send SMS/MMS notifications, OTP & 2FA messages, and WooCommerce updates with support for multiple gateways and plugin integrations.

10 No CVEs
SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery

SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery

sms-alert

B
82

Send WooCommerce SMS notifications, OTP verification, abandoned cart recovery alerts, and real-time order updates to customers and admins.

4K 12 CVEs
Developer Profile

OTP Login With Phone Number, OTP Verification Developer Profile

Hamid Alinia

4 plugins · 1K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
140 days
View full developer profile
Detection Fingerprints

How We Detect OTP Login With Phone Number, OTP Verification

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/login-with-phone-number/styles/lwp-admin.css/wp-content/plugins/login-with-phone-number/scripts/select2.full.min.js/wp-content/plugins/login-with-phone-number/scripts/chat.js/wp-content/plugins/login-with-phone-number/styles/lwp-login-style.css/wp-content/plugins/login-with-phone-number/styles/lwp-login-style.css/wp-content/plugins/login-with-phone-number/scripts/jquery.validate.js/wp-content/plugins/login-with-phone-number/scripts/lwp-login-script.js
Script Paths
/wp-content/plugins/login-with-phone-number/scripts/select2.full.min.js/wp-content/plugins/login-with-phone-number/scripts/chat.js/wp-content/plugins/login-with-phone-number/scripts/jquery.validate.js/wp-content/plugins/login-with-phone-number/scripts/lwp-login-script.js
Version Parameters
login-with-phone-number/styles/lwp-admin.css?ver=1.8.61login-with-phone-number/scripts/select2.full.min.js?ver=login-with-phone-number/scripts/chat.js?ver=login-with-phone-number/styles/lwp-login-style.css?ver=login-with-phone-number/scripts/jquery.validate.js?ver=login-with-phone-number/scripts/lwp-login-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
lwp-enabled
JS Globals
lwp_ajax_object
REST Endpoints
/wp-json/lwp/v1/send_sms/wp-json/lwp/v1/verify_otp
Shortcode Output
[idehweb_lwp][idehweb_lwp_metas][idehweb_lwp_verify_email]
FAQ

Frequently Asked Questions about OTP Login With Phone Number, OTP Verification