CVE-2024-6125: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in glboy OTP Login With Phone Number, OTP Verification
The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.
AI Analysis
Technical Summary
The vulnerability in the 'OTP Login With Phone Number, OTP Verification' WordPress plugin arises from a weak password recovery mechanism (CWE-640). The plugin generates a 6-digit numeric reset code that is too weak to resist guessing attacks. Additionally, there are no restrictions on the number of attempts or time limits for using the reset code, enabling unauthenticated attackers to reset passwords of arbitrary users by brute forcing the reset code. This affects all versions up to and including 1.7.34. The CVSS 3.1 score is 8.1, reflecting network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to reset the password of any user, leading to full account takeover. This compromises user confidentiality, integrity, and availability of affected accounts. The vulnerability can severely impact the security of WordPress sites using this plugin, potentially allowing attackers to gain unauthorized access and control.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the plugin or restricting access to password reset functionality. Monitoring for suspicious password reset activity is advised. Avoid relying solely on this plugin for authentication until the vulnerability is addressed.
CVE-2024-6125: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in glboy OTP Login With Phone Number, OTP Verification
Description
The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in the 'OTP Login With Phone Number, OTP Verification' WordPress plugin arises from a weak password recovery mechanism (CWE-640). The plugin generates a 6-digit numeric reset code that is too weak to resist guessing attacks. Additionally, there are no restrictions on the number of attempts or time limits for using the reset code, enabling unauthenticated attackers to reset passwords of arbitrary users by brute forcing the reset code. This affects all versions up to and including 1.7.34. The CVSS 3.1 score is 8.1, reflecting network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation allows unauthenticated attackers to reset the password of any user, leading to full account takeover. This compromises user confidentiality, integrity, and availability of affected accounts. The vulnerability can severely impact the security of WordPress sites using this plugin, potentially allowing attackers to gain unauthorized access and control.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling the plugin or restricting access to password reset functionality. Monitoring for suspicious password reset activity is advised. Avoid relying solely on this plugin for authentication until the vulnerability is addressed.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-06-18T13:49:13.613Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6bfab7ef31ef0b55d4ab
Added to database: 2/25/2026, 9:39:06 PM
Last enriched: 4/9/2026, 8:16:11 PM
Last updated: 4/14/2026, 3:46:50 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.