WP-Safety

OTP Login & Register Woocommerce Security & Risk Analysis

wordpress.org/plugins/mobile-login-woocommerce

Allow users to log in/sign up with a one-time password (OTP) sent to their mobile device.

2K active installs v2.7.2 PHP 5.2.4+ WP 3.0.1+ Updated Mar 7, 2026
2falogin-with-otpone-time-passwordwoocommerce-login
96
A · Safe
CVEs total3
Unpatched0
Last CVEJun 5, 2024
Plugin page Download
Safety Verdict

Is OTP Login & Register Woocommerce Safe to Use in 2026?

Generally Safe

Score 96/100

OTP Login & Register Woocommerce has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jun 5, 2024Updated 27d ago
Risk Assessment

The "mobile-login-woocommerce" v2.7.2 plugin presents a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and a high percentage of output escaping, significant concerns arise from its attack surface. A substantial nine out of twelve AJAX handlers lack authentication checks, creating potential entry points for unauthorized actions. The absence of REST API routes and shortcodes is a positive aspect. The taint analysis, although limited in scope, did reveal two flows with unsanitized paths, which warrants attention despite no critical or high severity findings in this specific analysis.

The plugin's vulnerability history is a major red flag. With three known CVEs, including two high severity and one medium, and the most recent one dated June 5, 2024, indicates a recurring pattern of security weaknesses. The types of past vulnerabilities, such as missing authorization, improper authentication, and Cross-Site Scripting, align with the concerns identified in the static analysis regarding unprotected AJAX handlers and unsanitized paths. The fact that no CVEs are currently unpatched is a positive sign that the developers are responsive to known issues, but the historical prevalence suggests a need for more robust security development practices. Overall, while there are strengths in its handling of SQL and output, the significant number of unprotected AJAX endpoints and the concerning vulnerability history necessitate caution.

Key Concerns

  • Significant attack surface without auth checks
  • Flows with unsanitized paths found
  • Two high severity CVEs
  • One medium severity CVE
  • Recent vulnerability (2024-06-05)
Vulnerabilities
3

OTP Login & Register Woocommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
2
Medium
1

3 total CVEs

CVE-2024-5324high · 8.8Missing Authorization

XootiX Framework <= Various Plugin Versions - Missing Authorization to Arbitrary Options Update

Jun 5, 2024 Patched in 2.6.2 (40d)
CVE-2023-2706high · 8.1Improper Authentication

OTP Login Woocommerce & Gravity Forms <= 2.2 - Authentication Bypass to Privilege Escalation

May 16, 2023 Patched in 2.3 (252d)
WF-3887a61f-03ae-4b37-a81f-1ea39a111e3c-mobile-login-woocommercemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

OTP Login Woocommerce & Gravity Forms <= 2.0 - Cross-Site Scripting

May 26, 2022 Patched in 2.1 (607d)
Code Analysis
Analyzed Mar 16, 2026

OTP Login & Register Woocommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
20
212 escaped
Nonce Checks
5
Capability Checks
7
File Operations
3
External Requests
9
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

100% prepared1 total queries

Output Escaping

91% escaped232 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
process_otp_form (includes\class-xoo-ml-verification.php:405)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

OTP Login & Register Woocommerce Attack Surface

Entry Points12
Unprotected9

AJAX Handlers 12

authwp_ajax_xoo_ml_admin_whatsapp_fetchadmin\class-xoo-ml-admin-settings.php:59
authwp_ajax_xoo_ml_admin_whatsapp_registeradmin\class-xoo-ml-admin-settings.php:60
authwp_ajax_xoo_ml_request_otpincludes\class-xoo-ml-verification.php:21
noprivwp_ajax_xoo_ml_request_otpincludes\class-xoo-ml-verification.php:22
authwp_ajax_xoo_ml_otp_form_submitincludes\class-xoo-ml-verification.php:24
noprivwp_ajax_xoo_ml_otp_form_submitincludes\class-xoo-ml-verification.php:25
authwp_ajax_xoo_ml_resend_otpincludes\class-xoo-ml-verification.php:27
noprivwp_ajax_xoo_ml_resend_otpincludes\class-xoo-ml-verification.php:28
noprivwp_ajax_xoo_ml_login_with_otpincludes\class-xoo-ml-verification.php:40
authwp_ajax_xoo_admin_settings_saveincludes\xoo-framework\admin\class-xoo-admin-settings.php:51
authwp_ajax_xoo_admin_settings_exportincludes\xoo-framework\admin\class-xoo-admin-settings.php:52
authwp_ajax_xoo_admin_settings_importincludes\xoo-framework\admin\class-xoo-admin-settings.php:53
WordPress Hooks 58
actioninitadmin\class-xoo-ml-admin-settings.php:29
actionadmin_menuadmin\class-xoo-ml-admin-settings.php:30
actionxoo_tab_page_endadmin\class-xoo-ml-admin-settings.php:35
actionxoo_tab_page_startadmin\class-xoo-ml-admin-settings.php:37
actionxoo_as_enqueue_scriptsadmin\class-xoo-ml-admin-settings.php:39
filterxoo_admin_setting_field_callback_htmladmin\class-xoo-ml-admin-settings.php:44
filterxoo_admin_setting_field_callback_htmladmin\class-xoo-ml-admin-settings.php:46
actionadmin_initadmin\class-xoo-ml-admin-settings.php:50
actionadmin_headadmin\class-xoo-ml-admin-settings.php:53
filterpre_update_optionadmin\class-xoo-ml-admin-settings.php:55
actionxoo_as_setting_sidebar_mobile-login-woocommerceadmin\class-xoo-ml-admin-settings.php:57
actionedit_user_profileadmin\class-xoo-ml-users-table.php:21
actionshow_user_profileadmin\class-xoo-ml-users-table.php:22
actionedit_user_profile_updateadmin\class-xoo-ml-users-table.php:23
actionpersonal_options_updateadmin\class-xoo-ml-users-table.php:24
actionuser_profile_update_errorsadmin\class-xoo-ml-users-table.php:26
filterxoo_el_user_profile_fieldsadmin\class-xoo-ml-users-table.php:27
filtermanage_users_columnsadmin\class-xoo-ml-users-table.php:29
filtermanage_users_custom_columnadmin\class-xoo-ml-users-table.php:30
actionedit_user_profileadmin\includes\class-xoo-ml-users-table.php:21
actionedit_user_profile_updateadmin\includes\class-xoo-ml-users-table.php:22
actionuser_profile_update_errorsadmin\includes\class-xoo-ml-users-table.php:23
filterxoo_el_user_profile_fieldsadmin\includes\class-xoo-ml-users-table.php:24
filtermanage_users_columnsadmin\includes\class-xoo-ml-users-table.php:26
filtermanage_users_custom_columnadmin\includes\class-xoo-ml-users-table.php:27
actioninitincludes\class-xoo-ml-frontend.php:28
actionwoocommerce_login_form_endincludes\class-xoo-ml-frontend.php:33
filtergettextincludes\class-xoo-ml-frontend.php:34
actionwoocommerce_register_form_startincludes\class-xoo-ml-frontend.php:38
actionwoocommerce_edit_account_form_startincludes\class-xoo-ml-frontend.php:39
actionwp_enqueue_scriptsincludes\class-xoo-ml-frontend.php:43
actionwp_enqueue_scriptsincludes\class-xoo-ml-frontend.php:44
actiongform_field_standard_settingsincludes\class-xoo-ml-gravity-form.php:10
actiongform_editor_jsincludes\class-xoo-ml-gravity-form.php:11
filtergform_field_contentincludes\class-xoo-ml-gravity-form.php:12
filtergform_field_validationincludes\class-xoo-ml-gravity-form.php:13
filterxoo_ml_get_phone_formsincludes\class-xoo-ml-gravity-form.php:14
actiongform_pre_submissionincludes\class-xoo-ml-gravity-form.php:15
actioninitincludes\class-xoo-ml-verification.php:30
actionuser_registerincludes\class-xoo-ml-verification.php:32
filterauthenticateincludes\class-xoo-ml-verification.php:34
actionxoo_ml_otp_validation_successincludes\class-xoo-ml-verification.php:36
actionxoo_ml_otp_validation_successincludes\class-xoo-ml-verification.php:37
actioninitincludes\xoo-framework\admin\class-xoo-admin-settings.php:57
actioninitincludes\xoo-framework\admin\class-xoo-admin-settings.php:58
actionadmin_enqueue_scriptsincludes\xoo-framework\admin\class-xoo-admin-settings.php:62
actionwp_loadedincludes\xoo-framework\admin\class-xoo-admin-settings.php:64
actionxoo_tab_page_startincludes\xoo-framework\admin\class-xoo-admin-settings.php:65
actionxoo_tab_page_startincludes\xoo-framework\admin\class-xoo-admin-settings.php:66
actionadmin_noticesincludes\xoo-framework\admin\class-xoo-admin-settings.php:72
actionadmin_initincludes\xoo-framework\admin\class-xoo-admin-settings.php:73
actionadmin_initincludes\xoo-framework\admin\class-xoo-admin-settings.php:74
actioninitincludes\xoo-framework\class-xoo-helper.php:41
actionadmin_initincludes\xoo-framework\class-xoo-helper.php:42
filterwp_mail_fromincludes\xoo-framework\class-xoo-helper.php:430
filterwp_mail_from_nameincludes\xoo-framework\class-xoo-helper.php:431
filterwp_mail_content_typeincludes\xoo-framework\class-xoo-helper.php:432
actionplugins_loadedxoo-ml-main.php:44
Maintenance & Trust

OTP Login & Register Woocommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 7, 2026
PHP min version5.2.4
Downloads94K

Community Trust

Rating92/100
Number of ratings44
Active installs2K
Alternatives

OTP Login & Register Woocommerce Alternatives

Wordfence Security – Firewall, Malware Scan, and Login Security

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

A
96

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

really-simple-ssl

A
99

Easily improve site security with WordPress Hardening, Two-Factor Authentication (2FA), Login Protection, Vulnerability Detection and SSL certificate.

3.0M 2 CVEs
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
Two Factor

Two Factor

two-factor

A
100

Enable Two-Factor Authentication (2FA) using time-based one-time passwords (TOTP), Universal 2nd Factor (U2F), email, and backup verification codes.

100K No CVEs
WP 2FA – Two-factor authentication for WordPress

WP 2FA – Two-factor authentication for WordPress

wp-2fa

A
95

Get better WordPress login security; add two-factor authentication (2FA) for all your users with this easy-to-use plugin.

100K 9 CVEs
Developer Profile

OTP Login & Register Woocommerce Developer Profile

xootix

6 plugins · 136K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
320 days
View full developer profile
Detection Fingerprints

How We Detect OTP Login & Register Woocommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mobile-login-woocommerce/admin/css/xoo-ml-admin-style.css/wp-content/plugins/mobile-login-woocommerce/admin/js/xoo-ml-admin-script.js/wp-content/plugins/mobile-login-woocommerce/assets/css/xoo-ml-style.css/wp-content/plugins/mobile-login-woocommerce/assets/js/xoo-ml-script.js
Script Paths
/wp-content/plugins/mobile-login-woocommerce/admin/js/xoo-ml-admin-script.js/wp-content/plugins/mobile-login-woocommerce/assets/js/xoo-ml-script.js
Version Parameters
mobile-login-woocommerce/admin/css/xoo-ml-admin-style.css?ver=mobile-login-woocommerce/admin/js/xoo-ml-admin-script.js?ver=mobile-login-woocommerce/assets/css/xoo-ml-style.css?ver=mobile-login-woocommerce/assets/js/xoo-ml-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
xoo-ml-wrapxoo-ml-otp-formxoo-ml-login-formxoo-ml-register-formxoo-ml-account-wrapxoo-ml-input-containerxoo-ml-login-buttonxoo-ml-register-button+3 more
HTML Comments
<!-- XooML -->
Data Attributes
data-xoo-ml-actiondata-xoo-ml-countdowndata-xoo-ml-target
JS Globals
xoo_ml_params
FAQ

Frequently Asked Questions about OTP Login & Register Woocommerce