PT-2023-6551 · WordPress · Login With Phone Number Plugin For Wordpress
Joshua Martinelle
·
Published
2023-01-20
·
Updated
2023-10-06
·
CVE-2023-23492
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Login with Phone Number WordPress Plugin version < 1.4.2
Description
The issue is related to an authenticated SQL injection vulnerability in the
lwp forgot password action. Specifically, the vulnerability is associated with the lack of protection measures for the SQL query structure, which can be exploited by a remote attacker to execute arbitrary code. The ID parameter of the lwp forgot password action is vulnerable.Recommendations
For Login with Phone Number WordPress Plugin version < 1.4.2, update to version 1.4.2 or later to resolve the issue.
As a temporary workaround, consider restricting access to the
lwp forgot password action until a patch is available.
Avoid using the ID parameter in the affected action until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Login With Phone Number Plugin For Wordpress