Executive Summary

This vulnerability is a Missing Authorization (Broken Access Control) flaw in the WordPress plugin "Login with Phone Number" up to version 1.6.93. It allows unauthenticated users to perform actions that should be restricted to higher-privileged users because the plugin lacks proper authorization, authentication, or nonce token checks. This means attackers can bypass security controls and potentially take over or manipulate the site. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability has a critical impact with a CVSS score of 9.8. It can allow attackers to gain unauthorized access and perform high-impact actions such as compromising confidentiality, integrity, and availability of the affected system. This can lead to site takeover, data breaches, and service disruption. The vulnerability is actively exploited in the wild and expected to see mass exploitation, making it urgent to update the plugin to version 1.6.94 or later. [1]

Useful 0 Not Useful 0

Detection Guidance

The provided resources do not include specific commands or detailed methods to detect this vulnerability on your network or system. Detection would likely involve monitoring for unauthorized access attempts or checking the plugin version installed, but no explicit detection commands are given.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the WordPress plugin "Login with Phone Number" to version 1.6.94 or later, which contains the fix for this vulnerability. Alternatively, applying the Patchstack virtual patch (vPatch) can automatically block attacks until the update is performed. It is also recommended to perform professional incident response and server-side malware scanning if compromise is suspected. [1]

Useful 0 Not Useful 0