A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Login with phone number Plugin. This vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication.
This vulnerability was discovered and responsibly reported by Lana Codes.
The vulnerability is a CSRF vulnerability that occurs in the login-with-phone-number.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to trick a higher-privileged user into performing an unwanted action.
Severity:
The vulnerability has a CVSS 3.1 score of 8.8, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.
Affected Versions:
The vulnerability affects all versions of the Login with phone number Plugin.
Impact:
An attacker who successfully exploits this vulnerability could:
- Force higher privileged users to delete or modify files.
- Force higher privileged users to install malicious plugins or themes.
- Force higher privileged users to change the website’s configuration.
- Take any other action that the higher privileged user could do.
Recommendation:
Given the critical nature of this vulnerability, taking swift action is imperative to bolster the website’s defenses:
- Disable the Plugin: In the absence of a patched version, consider disabling the Login with Phone Number Plugin. This precautionary measure can help mitigate the potential risks associated with the CSRF vulnerability.
- Enhance Security Protocols: Strengthen the website’s security measures by implementing robust authentication methods, access controls, and regular security assessments. A proactive approach is crucial to thwart potential exploitation attempts.
Conclusion:
This vulnerability is a serious threat to the security of WordPress websites that use the Login with phone number Plugin. Users of the Login with phone number Plugin are strongly advised to uninstall the plugin until a patched version is released.