PT-2024-39893 · WordPress · Miniorange Otp Verification With Firebase
István Márton
·
Published
2024-10-16
·
Updated
2024-10-22
·
CVE-2024-9861
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Miniorange OTP Verification with Firebase plugin for WordPress versions up to, and including, 3.6.0
Description
The issue is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user.
Recommendations
For versions up to, and including, 3.6.0, update to a version higher than 3.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the otp login feature until a patch is available. Avoid using the otp login feature with untrusted or unverified phone numbers until the issue is resolved.
Fix
Missing Authentication
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Miniorange Otp Verification With Firebase