WordPress Plugin Vulnerabilities

Login with phone number < 1.6.94 - Missing Authorization

Description

The Login with phone number plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on a function in versions up to, and including, 1.6.93. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
login-with-phone-number
Fixed in 1.6.94

References

CVE
CVE-2024-32832
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c600e8d0-7fe1-408e-a51d-8519a9acceb1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
189e74ec-a1e0-4a04-b299-97b4919cfc31

Timeline

Publicly Published
2024-04-22 (about 28 days ago)
Added
2024-04-29 (about 21 days ago)
Last Updated
2024-04-29 (about 21 days ago)

Other

Published
Title
Published
2024-03-20
Title
Olive One Click Demo Import < 1.1.2 - Missing Authorization
Published
2024-02-26
Title
Rolo Slider <= 1.0.9 - Missing Authorization to Authenticated(Subscriber+) Settings Change
Published
2024-01-30
Title
Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending
Published
2021-11-10
Title
Meks Easy Photo Feed Widget < 1.2.4 - Subscriber+ Settings Update to Stored XSS
Published
2024-04-29
Title
SP Project & Document Manager <= 4.69 - Missing Authorization