Platform
wordpress
Component
login-with-phone-number
Fixed in
1.7.50
CVE-2024-6482 is a privilege escalation vulnerability discovered in the Login with Phone Number plugin for WordPress. An authenticated attacker with Subscriber-level access or higher can exploit this flaw to elevate their role to Administrator, gaining complete control over the WordPress site. This vulnerability affects versions up to and including 1.7.49, with a partial fix introduced in version 1.7.40. Users are advised to upgrade to version 1.7.50 or later.
The primary impact of CVE-2024-6482 is the ability for a lower-privileged user (Subscriber) to gain administrative access to a WordPress site. This allows the attacker to modify site content, install malicious plugins, steal sensitive data, and potentially compromise the entire system. The requirement for the 'Login with Phone Number Pro' plugin to be present between versions 1.7.40 and 1.7.49 introduces a specific condition for exploitation within that timeframe, but the core vulnerability remains present in earlier versions. Successful exploitation could lead to complete site takeover and data exfiltration.
CVE-2024-6482 was publicly disclosed on September 14, 2024. Currently, there are no known active campaigns exploiting this vulnerability, but the availability of a relatively straightforward privilege escalation path makes it a potential target. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
Exploit Status
EPSS
0.36% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6482 is to upgrade the Login with Phone Number plugin to version 1.7.50 or later, which contains the fix. If immediate upgrading is not possible, consider restricting user roles and permissions within WordPress to limit the potential impact of a successful attack. Implement a Web Application Firewall (WAF) with rules to detect and block suspicious requests targeting the 'lwpupdatepassword_action' function. Regularly audit user roles and permissions to identify any unauthorized elevation.
Actualice el plugin Login with phone number a la última versión disponible. Esto solucionará la vulnerabilidad de escalada de privilegios que permite a usuarios autenticados con roles de Subscriber o superior elevar sus privilegios a Administrador.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6482 is a HIGH severity vulnerability allowing authenticated WordPress users to escalate their privileges to Administrator roles within the Login with Phone Number plugin.
You are affected if you are using the Login with Phone Number plugin in WordPress versions 1.7.49 or earlier. Versions 1.7.40-1.7.49 require the 'Login with Phone Number Pro' plugin to be present.
Upgrade the Login with Phone Number plugin to version 1.7.50 or later to resolve the vulnerability. Consider restricting user roles as an interim measure.
While there are no confirmed active campaigns currently, the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.