Lucene search

WpvulndbWPVDB-ID:E024BF11-3F6A-46EF-AF44-B406B5ED9280

HistoryMay 07, 2024 - 12:00 a.m.

Login with phone number < 1.7.20 - Missing Authorization

2024-05-0700:00:00

wpscan.com

wordpress

plugin

unauthorized modification

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.4

Confidence

Low

EPSS

Percentile

9.0%

JSON

Description The Login with phone number plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the idehweb_lwp_update_billing_phones function in versions up to, and including, 1.7.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify billing phone numbers.

References

www.wordfence.com/threat-intel/vulnerabilities/id/2756dcf4-715f-4a7b-855c-7347455e0323

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

6.4

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for WPVDB-ID:E024BF11-3F6A-46EF-AF44-B406B5ED9280