WordPress Plugin Vulnerabilities

DoLogin Security < 3.8 - Missing Authorization via REST Endpoints

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on multiple REST functions, allowing unauthenticated attackers to send test SMS messages to arbitrary phone numbers, bypass brute force protections by making unlimited login attempts, and make use of the plugin's IP geolocation functionality.

Affects Plugins

Plugin icon
dologin
Fixed in 3.8

References

CVE
CVE-2023-46608
URL
https://patchstack.com/database/vulnerability/dologin/wordpress-dologin-security-plugin-3-7-1-multiple-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
f3703c4d-bf6d-47e5-87e5-10459667b5f4

Timeline

Publicly Published
2023-10-24 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-03-12 (about 2 years ago)

Other

Published
Title
Published
2024-06-20
Title
ConvertKit < 2.4.9.1 - Missing Authorization
Published
2025-06-19
Title
App Builder < 5.5.8 - Missing Authorization
Published
2024-05-29
Title
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection < 10.24 - Missing Authorization to Information Expsoure
Published
2025-12-20
Title
Redirection for Contact Form 7 < 3.2.8 - Unauthenticated Arbitrary File Copy
Published
2024-06-05
Title
Login/Signup Popup ( Inline Form + Woocommerce ) 2.7.1 - 2.7.2 - Missing Authorization to Arbitrary Options Exposure