Login with phone number < 1.3.7 – Unauthenticated remote plugin deletion | CVE 2022-0593

Description

The plugin includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.

Proof of Concept

http://example/wp-content/plugins/login-with-phone-number/delete.php?delete=1

Affects Plugins

Fixed in 1.3.7

References

CVE

CVE-2022-0593

URL

https://wordpress.org/plugins/login-with-phone-number

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CWE-73

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

Michal Lipinski

Submitter

Michal Lipinski

Submitter website

https://beastiecode.com

Verified

Yes

WPVDB ID

76a50157-04b5-43e8-afbc-a6ddf6d1cba3

Timeline

Publicly Published

2022-02-16 (about 3 years ago)

Added

2022-02-16 (about 3 years ago)

Last Updated

2022-04-08 (about 3 years ago)

Other

Published

Title

Published

2025-05-23

Title

eMagicOne Store Manager for WooCommerce < 1.3.0 - Unauthenticated Arbitrary File Read

Published

2025-02-28

Title

Simple Download Counter < 2.1 - Authenticated (Author+) Arbitrary File Read

Published

2025-05-16

Title

WPBot Pro Wordpress Chatbot < 13.7.0 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-06-10

Title

WP-DownloadManager < 1.68.11 - Admin+ Arbitrary File Deletion

Published

2020-10-29

Title

WordPress < 5.5.2 - Protected Meta That Could Lead to Arbitrary File Deletion