CVE-2022-0593 - Vulnerability Details - OpenCVE

Description

The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.

Published: 2022-03-14

Score: 6.5 Medium

EPSS: 1.4% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Unknown

Login with phone number

affected

Version	Status	Constraints
`1.3.7`	affected	< 1.3.7

Configuration 1 [-]

cpe:2.3:a:idehweb:login_with_phone_number:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-15700	The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01419.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://wordpress.org/plugins/login-with-phone-number
https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3

History

No history.

Subscriptions

Idehweb Login With Phone Number

MITRE

Status: PUBLISHED

Assigner: WPScan

Published: 2022-03-14T14:41:36.000Z

Updated: 2024-08-02T23:32:46.276Z

Reserved: 2022-02-14T00:00:00.000Z

Link: CVE-2022-0593

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-14T15:15:10.087

Modified: 2026-06-17T04:20:54.183

Link: CVE-2022-0593

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-73
External Control of File Name or Path

{"containers": {"cna": {"affected": [{"product": "Login with phone number", "vendor": "Unknown", "versions": [{"lessThan": "1.3.7", "status": "affected", "version": "1.3.7", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Michal Lipinski"}], "descriptions": [{"lang": "en", "value": "The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-14T14:41:36.000Z", "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3"}, {"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/login-with-phone-number"}], "source": {"discovery": "EXTERNAL"}, "title": "Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion", "x_generator": "WPScan CVE Generator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "contact@wpscan.com", "ID": "CVE-2022-0593", "STATE": "PUBLIC", "TITLE": "Login with phone number < 1.3.7 - Unauthenticated remote plugin deletion"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Login with phone number", "version": {"version_data": [{"version_affected": "<", "version_name": "1.3.7", "version_value": "1.3.7"}]}}]}, "vendor_name": "Unknown"}]}}, "credit": [{"lang": "eng", "value": "Michal Lipinski"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation."}]}, "generator": "WPScan CVE Generator", "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-73 External Control of File Name or Path"}]}]}, "references": {"reference_data": [{"name": "https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3", "refsource": "MISC", "url": "https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3"}, {"name": "https://wordpress.org/plugins/login-with-phone-number", "refsource": "MISC", "url": "https://wordpress.org/plugins/login-with-phone-number"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:32:46.276Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wordpress.org/plugins/login-with-phone-number"}]}]}, "cveMetadata": {"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "cveId": "CVE-2022-0593", "datePublished": "2022-03-14T14:41:36.000Z", "dateReserved": "2022-02-14T00:00:00.000Z", "dateUpdated": "2024-08-02T23:32:46.276Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"affected": [{"affectedData": [{"product": "Login with phone number", "vendor": "Unknown", "versions": [{"lessThan": "1.3.7", "status": "affected", "version": "1.3.7", "versionType": "custom"}]}], "source": "contact@wpscan.com"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:idehweb:login_with_phone_number:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2E101820-E5EA-4133-A619-97CA78A67155", "versionEndExcluding": "1.3.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation."}, {"lang": "es", "value": "El plugin Login with phone number de WordPress versiones anteriores a 1.3.7, incluye un archivo delete.php sin ning\u00fan tipo de comprobaci\u00f3n de autenticaci\u00f3n o autorizaci\u00f3n en el directorio del plugin, permitiendo a un usuario no autenticado eliminar los archivos del plugin de forma remota, conllevando a una posible situaci\u00f3n de Denegaci\u00f3n de Servicio"}], "id": "CVE-2022-0593", "lastModified": "2026-06-17T04:20:54.183", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-14T15:15:10.087", "references": [{"source": "contact@wpscan.com", "tags": ["Third Party Advisory"], "url": "https://wordpress.org/plugins/login-with-phone-number"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://wordpress.org/plugins/login-with-phone-number"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/76a50157-04b5-43e8-afbc-a6ddf6d1cba3"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "contact@wpscan.com", "type": "Secondary"}]}