Description
The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.
References
https://wordpress.org/plugins/login-with-phone-number
Third Party Advisory
https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3
ExploitThird Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
6.5 · Medium
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2022-03-14T15:15:10.087
3 years agoLast modified
2022-03-21T20:58:54.230
3 years ago