Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-9861

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user.

Published

2024-10-17T02:15:03.493

Last Modified

2025-01-28T18:56:36.567

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

Weaknesses

Type: Secondary
CWE-288
Type: Primary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	miniorange	otp_verification_with_firebase	< 3.6.1	Yes

References

https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L144 Product ([email protected])
https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-loginform.php#L190 Product ([email protected])
https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file3 Patch ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/04045ec3-dd8e-4ac5-bd73-eef6205ecc62?source=cve Third Party Advisory ([email protected])