Description

WordPress Plugin Login with phone number is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently log in as any existing user on the site, such as an administrator, if they have access to the user email. WordPress Plugin Login with phone number version 1.7.26 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin version 1.7.27 or latest

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/login-with-phone-number/login-with-phone-number-1726-authentication-bypass-due-to-missing-empty-value-check

https://plugins.svn.wordpress.org/login-with-phone-number/trunk/readme.txt

Related Vulnerabilities

WordPress Plugin Spam protection, AntiSpam, FireWall by CleanTalk Cross-Site Scripting (5.21)

Ruby Numeric Errors Vulnerability (CVE-2009-1904)

Apache HTTP Server Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2022-30522)

PrestaShop Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2018-19126)

Microsoft SQL Server CVE-2023-21528 Vulnerability (CVE-2023-21528)

Severity

High

Classification

CVE-2024-5150 CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass