509 matches found
CVE-2026-0057
In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2026-3655
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
WordPress OTP Login With Phone Number, OTP Verification plugin 1.8.50-1.8.60 - Unauthenticated Authentication Bypass vulnerability
Unauthenticated Authentication Bypass vulnerability discovered by luckybuddy in WordPress Plugin Login with phone number versions 1.8.50-1.8.60...
CVE-2026-3655
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
CVE-2026-3655 OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
EUVD-2026-33255
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
CVE-2026-3655
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
CVE-2026-3655 OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...
CVE-2026-3655
The CVE-2026-3655 entry describes an authentication bypass in the WordPress plugin “OTP Login With Phone Number, OTP Verification” versions 1.8.50–1.8.60. The root cause is a Firebase verification flow in the lwp_ajax_register AJAX handler that does not bind the Firebase session to the submitted ...
WordPress plugin OTP Login With Phone Number OTP Verification 授权问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
PT-2026-44756
Name of the Vulnerable Software and Affected Versions OTP Login With Phone Number, OTP Verification plugin for WordPress versions 1.8.50 through 1.8.60 Description An authentication bypass exists due to the Firebase verification flow in the 'lwp ajax register' AJAX handler not binding the Firebas...
CVE-2018-25330
Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when...
CVE-2018-25330
Joomla! EkRishta 2.10 is affected by persistent XSS and SQL injection as described in CVE-2018-25330. The vulnerabilities enable attackers to inject script payloads into profile information (e.g., Address) and SQL payloads via the phone_no parameter to user_setting, allowing script execution when...
CVE-2018-25330 Joomla! EkRishta 2.10 Persistent XSS and SQL Injection
Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when...
CVE-2018-25330 Joomla! EkRishta 2.10 Persistent XSS and SQL Injection
Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when...
Insights into the clustering and reuse of phone numbers in scam emails
Cisco Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise IOC. In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails. According to Talos' observations, the ease of API-driven...
Astra Linux – Vulnerability in Zabbix
Zabbix allows for the configuration of SMS notifications. AT command injection occurs on the “Zabbix Server” because there is no validation of the “Number” field either on the web interface or on the Zabbix server side. An attacker can send specially crafted phone numbers via SMS and execute...
CVE-2026-34758
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42...
CVE-2026-34758
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/WhatsApp abuse and phone number purchase. This issue has been patched in version 10.0.42...
CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. Thes...