CVE-2024-6482

Name of the Vulnerable Software and Affected Versions Login with phone number plugin for WordPress versions up to, and including, 1.7.49

Description The issue is due to a lack of validation and missing capability check on user-supplied data in the lwp update password action function. This allows authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40, but the login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49.

Recommendations For versions up to 1.7.39, update to a version above 1.7.49 to fully resolve the issue. For versions 1.7.40 - 1.7.49, ensure the login with phone number pro plugin is not installed or used, and update to a version above 1.7.49 to fully resolve the issue. As a temporary workaround, consider disabling the lwp update password action function until a patch is available.