CVE-2024-5150 (GCVE-0-2024-5150)
Vulnerability from cvelistv5 – Published: 2024-05-29 02:00 – Updated: 2024-08-01 21:03
VLAI?
Title
Login with phone number <= 1.7.26 - Authentication Bypass due to Missing Empty Value Check
Summary
The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27.
Severity ?
9.8 (Critical)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glboy | Login with phone number |
Affected:
* , ≤ 1.7.26
(semver)
|
Credits
István Márton
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-06T18:26:09.785620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T18:26:30.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Login with phone number",
"vendor": "glboy",
"versions": [
{
"lessThanOrEqual": "1.7.26",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Istv\u00e1n M\u00e1rton"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the \u0027activation_code\u0027 default value is empty, and the not empty check is missing in the \u0027lwp_ajax_register\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-29T02:00:37.242Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-20T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2024-05-20T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-28T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Login with phone number \u003c= 1.7.26 - Authentication Bypass due to Missing Empty Value Check"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5150",
"datePublished": "2024-05-29T02:00:37.242Z",
"dateReserved": "2024-05-20T18:19:48.464Z",
"dateUpdated": "2024-08-01T21:03:10.892Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the \u0027activation_code\u0027 default value is empty, and the not empty check is missing in the \u0027lwp_ajax_register\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27.\"}, {\"lang\": \"es\", \"value\": \"El complemento The Login with phone number para WordPress es vulnerable a la omisi\\u00f3n de autenticaci\\u00f3n en versiones hasta la 1.7.26 incluida. Esto se debe a que el valor predeterminado \u0027activation_code\u0027 est\\u00e1 vac\\u00edo y falta la verificaci\\u00f3n de no vac\\u00edo en la funci\\u00f3n \u0027lwp_ajax_register\u0027. Esto hace posible que atacantes no autenticados inicien sesi\\u00f3n como cualquier usuario existente en el sitio, como un administrador, si tienen acceso al correo electr\\u00f3nico del usuario. La vulnerabilidad se parche\\u00f3 en la versi\\u00f3n 1.7.26, pero hay un problema en el parche que hace que toda la funci\\u00f3n no funcione, y este problema se solucion\\u00f3 en la versi\\u00f3n 1.7.27.\"}]",
"id": "CVE-2024-5150",
"lastModified": "2024-11-21T09:47:04.410",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@wordfence.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2024-05-29T02:16:32.303",
"references": "[{\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve\", \"source\": \"security@wordfence.com\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Awaiting Analysis"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-5150\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2024-05-29T02:16:32.303\",\"lastModified\":\"2024-11-21T09:47:04.410\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the \u0027activation_code\u0027 default value is empty, and the not empty check is missing in the \u0027lwp_ajax_register\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27.\"},{\"lang\":\"es\",\"value\":\"El complemento The Login with phone number para WordPress es vulnerable a la omisi\u00f3n de autenticaci\u00f3n en versiones hasta la 1.7.26 incluida. Esto se debe a que el valor predeterminado \u0027activation_code\u0027 est\u00e1 vac\u00edo y falta la verificaci\u00f3n de no vac\u00edo en la funci\u00f3n \u0027lwp_ajax_register\u0027. Esto hace posible que atacantes no autenticados inicien sesi\u00f3n como cualquier usuario existente en el sitio, como un administrador, si tienen acceso al correo electr\u00f3nico del usuario. La vulnerabilidad se parche\u00f3 en la versi\u00f3n 1.7.26, pero hay un problema en el parche que hace que toda la funci\u00f3n no funcione, y este problema se solucion\u00f3 en la versi\u00f3n 1.7.27.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:03:10.892Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5150\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-06T18:26:09.785620Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-06T18:26:25.599Z\"}}], \"cna\": {\"title\": \"Login with phone number \u003c= 1.7.26 - Authentication Bypass due to Missing Empty Value Check\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Istv\\u00e1n M\\u00e1rton\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"glboy\", \"product\": \"Login with phone number\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.7.26\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-05-20T00:00:00.000+00:00\", \"value\": \"Discovered\"}, {\"lang\": \"en\", \"time\": \"2024-05-20T00:00:00.000+00:00\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2024-05-28T00:00:00.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/cf34eb9f-f6e9-4a7a-8459-c86f9fa3dad8?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4183\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4220\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.7.25/login-with-phonenumber.php#L4241\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090625/login-with-phone-number\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3090754/login-with-phone-number#file5\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the \u0027activation_code\u0027 default value is empty, and the not empty check is missing in the \u0027lwp_ajax_register\u0027 function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function to not work, and this issue is fixed in version 1.7.27.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-288 Authentication Bypass Using an Alternate Path or Channel\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2024-05-29T02:00:37.242Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-5150\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-01T21:03:10.892Z\", \"dateReserved\": \"2024-05-20T18:19:48.464Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2024-05-29T02:00:37.242Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…