CVE-2024-6125

HIGH

WordPress Login with phone number <1.7.34 - Info Disclosure

Title source: llm

Description

The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.

References (2)

[Product] https://plugins.trac.wordpress.org/changeset/3104085/login-with-phone-number#file5

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/301a67a5-226c-413a-9198-66747d1b1fd3?source=cve

Scores

CVSS v3 8.1

EPSS 0.0114

EPSS Percentile 78.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-640

Status published

Products (2)

glboy/Login with phone number < 1.7.34

glboy/OTP Login With Phone Number, OTP Verification < 1.7.34

Published Jun 19, 2024

Tracked Since Feb 18, 2026