The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.6. This is due to the watchtower_ota_token default value is empty, and the not empty check is missing in the Password_Less_Access::login function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user.
The product requires authentication, but the product has an alternate path or channel that does not require authentication.