cbcvebase.
CVE-2023-23492
published 2023-01-20

CVE-2023-23492: The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
57.40%
99.0th percentile
The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwp_forgot_password' action.

Affected

3 ranges
VendorProductVersion rangeFixed in
idehweblogin_with_phone_number< 1.4.21.4.2
pimcorepimcore>= 0 < 11.5.1411.5.14
pimcorepimcore>= 12.0.0-RC1 < 12.3.112.3.1

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for authenticated POST requests targeting the 'lwp_forgot_password' WordPress action with a manipulated 'ID' parameter, which is the vector for the SQL injection vulnerability in Login with Phone Number plugin < 1.4.2.
  • ·The SQL injection requires authentication; unauthenticated scanning will not trigger this vulnerability. Ensure detection rules account for authenticated sessions.
  • ·The vulnerability affects only Login with Phone Number plugin versions strictly less than 1.4.2; version 1.4.2 and above are not affected.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.