Authentication Bypass in OTP Login Plugin for WordPress
CVE-2023-2706

8.1HIGH

Key Information:

Vendor: WordPress
Status: Otp Login & Register WooCommerce
Vendor: CVE Published:; 17 May 2023

What is CVE-2023-2706?

The OTP Login Woocommerce & Gravity Forms plugin for WordPress presents a significant security issue due to an authentication bypass vulnerability. When generating One-Time Password (OTP) codes for user login via phone number, the plugin inadvertently exposes these codes in an AJAX response. This flaw enables unauthorized attackers to retrieve sensitive login codes for administrator accounts, provided they can access the victim's configured phone number, potentially acquired through social engineering techniques or reconnaissance. This vulnerability compromises the authentication process, posing a serious risk to site security.

Affected Version(s)

OTP Login & Register Woocommerce 0 <= 2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mobile-login-w...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2023
Vulnerability Reserved
May 15, 2023

Credit

Lana Codes

CVE-2023-2706 Data

JSON