CVE-2024-6125

Name of the Vulnerable Software and Affected Versions: Login with phone number plugin for WordPress versions up to, and including 1.7.34

Description: The issue is related to the generation of weak reset codes and the lack of attempt or time limits for password resets. This allows unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.

Recommendations: For versions up to, and including 1.7.34, consider disabling the password reset functionality until a patch is available. Restrict access to the password reset module to minimize the risk of exploitation. Avoid using the reset code generation feature in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.