Cross-Site Request Forgery (CSRF) vulnerability in WordPress Login with phone number Plugin

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Login with phone number Plugin. This vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication.

This vulnerability was discovered and responsibly reported by Lana Codes.

The vulnerability is a CSRF vulnerability that occurs in the login-with-phone-number.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to trick a higher-privileged user into performing an unwanted action.

Severity:

The vulnerability has a CVSS 3.1 score of 8.8, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Login with phone number Plugin.

Impact:

An attacker who successfully exploits this vulnerability could:

Force higher privileged users to delete or modify files.
Force higher privileged users to install malicious plugins or themes.
Force higher privileged users to change the website’s configuration.
Take any other action that the higher privileged user could do.

Recommendation:

Given the critical nature of this vulnerability, taking swift action is imperative to bolster the website’s defenses:

Disable the Plugin: In the absence of a patched version, consider disabling the Login with Phone Number Plugin. This precautionary measure can help mitigate the potential risks associated with the CSRF vulnerability.
Enhance Security Protocols: Strengthen the website’s security measures by implementing robust authentication methods, access controls, and regular security assessments. A proactive approach is crucial to thwart potential exploitation attempts.

Conclusion:

This vulnerability is a serious threat to the security of WordPress websites that use the Login with phone number Plugin. Users of the Login with phone number Plugin are strongly advised to uninstall the plugin until a patched version is released.

Cross-Site Request Forgery (CSRF) vulnerability in WordPress Login with phone number Plugin

Severity:

Affected Versions:

Impact:

Recommendation:

Conclusion:

Related Articles

Mitigating High-Severity XSS Vulnerability in WooCommerce Ship to Multiple Addresses Plugin

Cross-Site Request Forgery (CSRF) vulnerability in WordPress File Manager Pro Plugin

High-severity Privilege Escalation vulnerability in WordPress Shop as a Customer for WooCommerce plugin

WordPress Custom My Account for Woocommerce Plugin Cross-Site Request Forgery (CSRF) Vulnerability

Bypass Vulnerability Detected in Admin and Site Enhancements (ASE) Plugin

High-severity Arbitrary File Download vulnerability in JupiterX Core plugin

Categories

Latest Blog Updates

Unmasking a Persistent Malware Attack on a WordPress Website

Investigating and Resolving High CPU Usage in WordPress Due to Malicious Crawlers

Unmasking a Hidden Malware Attack Targeting Users from Search Results

Critical Broken Access Control Vulnerability in WP Travel Plugin

Critical Broken Access Control Vulnerability in WooODT Lite Plugin

Critical Local File Inclusion Vulnerability in HTML filter and csv-file search Plugin

Critical Remote Code Execution Vulnerability in PHP to Page Plugin