WordPress Plugin Vulnerabilities

Login with phone number < 1.7.27 - Authentication Bypass due to Missing Empty Value Check

Description

The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27.

Affects Plugins

Plugin icon
login-with-phone-number
Fixed in 1.7.27

References

CVE
CVE-2024-5150
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
d251e0b5-8455-4cbd-aaf9-a5617047c510

Timeline

Publicly Published
2024-05-28 (about 1 year ago)
Added
2024-05-28 (about 1 year ago)
Last Updated
2024-05-28 (about 1 year ago)

Other

Published
Title
Published
2018-10-02
Title
Wordfence < 7.1.14 - Username Enumeration Prevention Bypass
Published
2022-01-06
Title
IP2Location Country Blocker < 2.26.5 - Ban Bypass
Published
2022-10-28
Title
Login Block IPs <= 1.0.0 - IP Spoofing Bypass
Published
2023-05-30
Title
Jetpack < 12.1.1 - Author+ Arbitrary File Manipulation via API
Published
2023-11-16
Title
LWS Hide Login < 2.1.9 - Protection Mechanism Bypass