Description

WordPress Plugin Login with phone number is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently log in as any existing user on the site, such as an administrator, if they have access to the user email. WordPress Plugin Login with phone number version 1.7.26 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.7.27 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/login-with-phone-number/login-with-phone-number-1726-authentication-bypass-due-to-missing-empty-value-check

https://plugins.svn.wordpress.org/login-with-phone-number/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin Content Cards Cross-Site Scripting (0.9.6)

Oracle JRE CVE-2013-2437 Vulnerability (CVE-2013-2437)

MySQL CVE-2021-2020 Vulnerability (CVE-2021-2020)

Apache HTTP Server Uncontrolled Resource Consumption Vulnerability (CVE-2009-1891)

Internet Information Services Other Vulnerability (CVE-2003-0224)

Severity

High

Classification

CVE-2024-5150 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass