CVE-2024-5150 — AI Deep Analysis Summary

🚨 **Essence**: A critical auth bypass in 'Login with phone number' plugin (v1.7.26 & prior). <br>🔥 **Consequences**: Attackers bypass identity verification entirely.…

🛡️ **Root Cause**: Missing non-null check in `wp_ajax_register` function. <br>📉 **CWE**: CWE-288 (Authentication Bypass Using an Alternate Path or Bypass). The code fails to validate input properly.

🏢 **Vendor**: glboy. <br>📦 **Product**: OTP Login With Phone Number / OTP Verification. <br>📅 **Affected**: Versions **1.7.26 and earlier**. WordPress core is also mentioned but the specific flaw is in the plugin.

💻 **Privileges**: Attackers gain unauthorized access. <br>🔓 **Impact**: High Confidentiality, Integrity, and Availability impact. Essentially, they can log in as any user or create accounts without proper verification.

⚡ **Threshold**: **LOW**. <br>🌐 **Network**: AV:N (Network exploitable). <br>🔑 **Auth**: PR:N (No privileges required). <br>👀 **UI**: UI:N (No user interaction needed). Easy to exploit remotely.

🕵️ **Exploit Status**: No public PoC/Exploit listed in the data (`pocs: []`).…

🔍 **Self-Check**: Scan for installed version of 'Login with phone number'. <br>📊 **Indicator**: Check if version ≤ 1.7.26.…

✅ **Fix**: Yes, updated versions exist. <br>🔗 **Reference**: Changeset 3090754 indicates a fix was committed. <br>📥 **Action**: Update to the latest version immediately via WordPress admin or manual download.

🚧 **Workaround**: If patching is delayed, **disable the plugin** immediately. <br>🔒 **Alternative**: Switch to standard email/password authentication or a different, secure phone login plugin.…

🔴 **Priority**: **CRITICAL**. <br>🚀 **Urgency**: High. CVSS 3.1 vector indicates severe impact. <br>⏱️ **Action**: Patch NOW. This allows direct authentication bypass, posing an immediate threat to site security.