Vulnerability Details CVE-2023-4916
The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwp_update_password_action' function. This makes it possible for unauthenticated attackers to change user password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 62.1%
CVSS Severity
CVSS v3 Score 8.8
References
- https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php?rev=2965324#L2942
- https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php?rev=2967707#L2948
- https://www.wordfence.com/threat-intel/vulnerabilities/id/71083db7-377b-47a1-ac8b-83d8974a2654?source=cve
- https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php?rev=2965324#L2942
- https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php?rev=2967707#L2948
- https://www.wordfence.com/threat-intel/vulnerabilities/id/71083db7-377b-47a1-ac8b-83d8974a2654?source=cve
Products affected by CVE-2023-4916
-
cpe:2.3:a:idehweb:login_with_phone_number:-
-
cpe:2.3:a:idehweb:login_with_phone_number:1.0
-
cpe:2.3:a:idehweb:login_with_phone_number:1.0.1
-
cpe:2.3:a:idehweb:login_with_phone_number:1.0.8
-
cpe:2.3:a:idehweb:login_with_phone_number:1.0.9
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.0
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.01
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.03
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.04
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.05
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.06
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.07
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.09
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.10
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.11
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.12
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.13
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.14
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.15
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.16
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.17
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.20
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.21
-
cpe:2.3:a:idehweb:login_with_phone_number:1.1.22
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.0
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.01
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.02
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.03
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.04
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.05
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.06
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.07
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.08
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.09
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.10
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.11
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.12
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.13
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.14
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.15
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.16
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.17
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.18
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.19
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.20
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.21
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.22
-
cpe:2.3:a:idehweb:login_with_phone_number:1.2.23
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.0
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.1
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.2
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.3
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.4
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.5
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.6
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.7
-
cpe:2.3:a:idehweb:login_with_phone_number:1.3.9
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.0
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.1
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.2
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.3
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.4
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.5
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.6
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.61
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.62
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.63
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.7
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.8
-
cpe:2.3:a:idehweb:login_with_phone_number:1.4.9
-
cpe:2.3:a:idehweb:login_with_phone_number:1.5.2
-
cpe:2.3:a:idehweb:login_with_phone_number:1.5.3
-
cpe:2.3:a:idehweb:login_with_phone_number:1.5.4
-
cpe:2.3:a:idehweb:login_with_phone_number:1.5.5
-
cpe:2.3:a:idehweb:login_with_phone_number:1.5.6