WordPress Plugin Vulnerabilities

Login with phone number < 1.7.35 - Insecure Password Reset Mechanism

Description

The plugin is vulnerable to unauthorized password resets due to generating too weak reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.

Affects Plugins

References

Miscellaneous

Original Researcher
István Márton
Verified
No

Timeline

Publicly Published
2024-06-18 (about 2 years ago)
Added
2024-06-24 (about 2 years ago)
Last Updated
2024-06-24 (about 2 years ago)

Other