CVE-2026-12492 PUBLISHED

Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user

Assigner: WPScan
Reserved: 17.06.2026 Published: 16.07.2026 Updated: 16.07.2026

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.

Product Status

Vendor Unknown
Product Happy Coders OTP Login for WooCommerce
Versions Default: unaffected
  • affected from 1.5 to 2.8 (excl.)

Credits

  • moonge finder
  • WPScan coordinator

References

Problem Types

  • CWE-287 Improper Authentication CWE