Login with OTP Security & Risk Analysis

wordpress.org/plugins/otp-login

Login with OTP for WordPress and WooCommerce. Secure your site by replacing static passwords with One Time Password (OTP) for login.

100 active installs v1.6 PHP 7.3+ WP 6.0+ Updated Jul 10, 2025
loginmobile-otpone-time-passwordotp-loginwoocommerce-otp
57
C · Use Caution
CVEs total2
Unpatched1
Last CVEMay 26, 2026
Safety Verdict

Is Login with OTP Safe to Use in 2026?

Use With Caution

Score 57/100

Login with OTP has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: May 26, 2026Updated 1yr ago
Risk Assessment

The static analysis of the otp-login plugin v1.6 reveals a strong security posture in its current implementation. There are no identified entry points such as AJAX handlers, REST API routes, shortcodes, or cron events, which significantly reduces the plugin's attack surface. The code demonstrates good practices by exclusively using prepared statements for SQL queries and ensuring all outputs are properly escaped. The absence of dangerous functions, file operations, external HTTP requests, and unsanitized taint flows further contributes to a positive security assessment. The plugin also correctly implements capability checks, albeit without nonce checks on the few identified entry points (which are zero in this case).

However, the plugin has a history of known vulnerabilities, specifically one high-severity "Authentication Bypass Using an Alternate Path or Channel" vulnerability discovered recently. While this specific vulnerability is reported as unpatched, its absence from the current static analysis could indicate it has been addressed in a later version, or it might be a limitation of the static analysis performed. The presence of a past high-severity vulnerability, regardless of its current status, warrants caution and a thorough review of any updates or patches related to it.

In conclusion, the current version of otp-login v1.6 appears to be well-secured based on the provided static analysis, exhibiting minimal attack surface and robust code practices. The primary concern stems from its vulnerability history, particularly the past authentication bypass issue. It is crucial to ensure that all known vulnerabilities have been addressed and to monitor for any future security advisories.

Key Concerns

  • Known high-severity vulnerability
  • Vulnerability history: Authentication Bypass
Vulnerabilities
2 published

Login with OTP Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
1

2 total CVEs

CVE-2026-8760critical · 9.8Improper Restriction of Excessive Authentication Attempts

Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force

May 26, 2026Unpatched
CVE-2024-11178high · 8.1Authentication Bypass Using an Alternate Path or Channel

Login With OTP <= 1.4.2 - Authentication Bypass via Weak OTP

Dec 5, 2024 Patched in 1.5 (90d)
Version History

Login with OTP Release Timeline

Code Analysis
Analyzed Mar 16, 2026

Login with OTP Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
0 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0
Attack Surface

Login with OTP Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 3
actionadmin_initotp-login.php:37
actionadmin_menuotp-login.php:38
actionadmin_bar_menuotp-login.php:39
Maintenance & Trust

Login with OTP Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 10, 2025
PHP min version7.3
Downloads8K

Community Trust

Rating86/100
Number of ratings3
Active installs100
Developer Profile

Login with OTP Developer Profile

WP-EXPERTS.IN

21 plugins · 30K total installs

70
trust score
Avg Security Score
87/100
Avg Patch Time
347 days
View full developer profile
Detection Fingerprints

How We Detect Login with OTP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/otp-login/css/otpl-admin.css/wp-content/plugins/otp-login/js/otpl-admin.js
Script Paths
/wp-content/plugins/otp-login/js/otpl-admin.js
Version Parameters
otp-login/css/otpl-admin.css?ver=otp-login/js/otpl-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
otpl-toolbar-pageotpl_menu_item_class
FAQ

Frequently Asked Questions about Login with OTP