Description

WordPress Plugin Login with phone number is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently log in as any existing user on the site, such as an administrator, if they have access to the user email. WordPress Plugin Login with phone number version 1.7.26 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.7.27 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/login-with-phone-number/login-with-phone-number-1726-authentication-bypass-due-to-missing-empty-value-check

https://plugins.svn.wordpress.org/login-with-phone-number/trunk/readme.txt

Related Vulnerabilities

Oracle Database Server CVE-2006-0267 Vulnerability (CVE-2006-0267)

Joomla Insufficient Session Expiration Vulnerability (CVE-2021-26037)

WordPress Plugin Team Members Cross-Site Scripting (5.1.0)

OpenVPN AS Other Vulnerability (CVE-2006-2229)

WordPress Plugin ExS Widgets Local File Inclusion (0.3.1)

Severity

High

Classification

CVE-2024-5150 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass