CVE-2024-6482 (GCVE-0-2024-6482)

Vulnerability from cvelistv5 – Published: 2024-09-14 12:31 – Updated: 2024-09-16 19:42
VLAI?
Title
Login with phone number <= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation
Summary
The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the 'lwp_update_password_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49.
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
Vendor Product Version
glboy Login with phone number Affected: * , ≤ 1.7.49 (semver)
Create a notification for this product.
Credits
Thanh Nam Tran
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:hamid-alinia-idehweb:login_with_phone_number:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "login_with_phone_number",
            "vendor": "hamid-alinia-idehweb",
            "versions": [
              {
                "lessThanOrEqual": "1.7.49",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6482",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-16T19:39:53.769704Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-16T19:42:48.938Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Login with phone number",
          "vendor": "glboy",
          "versions": [
            {
              "lessThanOrEqual": "1.7.49",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Thanh Nam Tran"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the \u0027lwp_update_password_action\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269 Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-14T12:31:08.795Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php#L3803"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3129185/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-09-14T00:06:00.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Login with phone number \u003c= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-6482",
    "datePublished": "2024-09-14T12:31:08.795Z",
    "dateReserved": "2024-07-03T16:05:30.839Z",
    "dateUpdated": "2024-09-16T19:42:48.938Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:idehweb:login_with_phone_number:*:*:*:*:*:wordpress:*:*\", \"versionStartIncluding\": \"1.7.40\", \"versionEndExcluding\": \"1.7.50\", \"matchCriteriaId\": \"E2A5DD2A-1F8D-4E9B-8F99-8555B246BFDF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the \u0027lwp_update_password_action\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49.\"}, {\"lang\": \"es\", \"value\": \"El complemento Login with phone number para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 1.7.49 incluida. Esto se debe a la falta de validaci\\u00f3n y a la falta de comprobaci\\u00f3n de la capacidad de los datos suministrados por el usuario en la funci\\u00f3n \u0027lwp_update_password_action\u0027. Esto permite que los atacantes autenticados, con acceso de nivel de suscriptor o superior, actualicen su rol a cualquier otro rol, incluido el de administrador. La vulnerabilidad fue parcialmente corregida en la versi\\u00f3n 1.7.40. El complemento Login with phone number pro era necesario para explotar la vulnerabilidad en las versiones 1.7.40 - 1.7.49.\"}]",
      "id": "CVE-2024-6482",
      "lastModified": "2024-09-27T13:54:53.837",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@wordfence.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2024-09-14T13:15:10.343",
      "references": "[{\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php#L3803\", \"source\": \"security@wordfence.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3129185/\", \"source\": \"security@wordfence.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=cve\", \"source\": \"security@wordfence.com\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@wordfence.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"security@wordfence.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-269\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-6482\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2024-09-14T13:15:10.343\",\"lastModified\":\"2024-09-27T13:54:53.837\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the \u0027lwp_update_password_action\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49.\"},{\"lang\":\"es\",\"value\":\"El complemento Login with phone number para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 1.7.49 incluida. Esto se debe a la falta de validaci\u00f3n y a la falta de comprobaci\u00f3n de la capacidad de los datos suministrados por el usuario en la funci\u00f3n \u0027lwp_update_password_action\u0027. Esto permite que los atacantes autenticados, con acceso de nivel de suscriptor o superior, actualicen su rol a cualquier otro rol, incluido el de administrador. La vulnerabilidad fue parcialmente corregida en la versi\u00f3n 1.7.40. El complemento Login with phone number pro era necesario para explotar la vulnerabilidad en las versiones 1.7.40 - 1.7.49.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:idehweb:login_with_phone_number:*:*:*:*:*:wordpress:*:*\",\"versionStartIncluding\":\"1.7.40\",\"versionEndExcluding\":\"1.7.50\",\"matchCriteriaId\":\"E2A5DD2A-1F8D-4E9B-8F99-8555B246BFDF\"}]}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php#L3803\",\"source\":\"security@wordfence.com\",\"tags\":[\"Product\"]},{\"url\":\"https://plugins.trac.wordpress.org/changeset/3129185/\",\"source\":\"security@wordfence.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=cve\",\"source\":\"security@wordfence.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6482\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-16T19:39:53.769704Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:hamid-alinia-idehweb:login_with_phone_number:*:*:*:*:*:*:*:*\"], \"vendor\": \"hamid-alinia-idehweb\", \"product\": \"login_with_phone_number\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.7.49\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-16T19:42:36.410Z\"}}], \"cna\": {\"title\": \"Login with phone number \u003c= 1.7.49 - Authenticated (Subscriber+) Authorization Bypass to Privilege Escalation\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Thanh Nam Tran\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"glboy\", \"product\": \"Login with phone number\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"1.7.49\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-09-14T00:06:00.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/de7cde2c-142c-4004-9302-be335265d87d?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php#L3803\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset/3129185/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the \u0027lwp_update_password_action\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-269\", \"description\": \"CWE-269 Improper Privilege Management\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2024-09-14T12:31:08.795Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-6482\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-16T19:42:48.938Z\", \"dateReserved\": \"2024-07-03T16:05:30.839Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2024-09-14T12:31:08.795Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.