I’m not sure if I understand your attack exactly, but it seems like this is prevented by the checksum. Any alternative message m' that is not equal to the original message m and where each digit of m' is greater than or equal the corresponding digit in m is guaranteed to have a smaller checksum. Thus, in WOTS+C, verification would fail because this checksum would not match the hardcoded checksum. In WOTS, creating a valid signature would require revealing a preimage in one of the checksum chains.
2 Likes