CVE-2024-6482: CWE-269 Improper Privilege Management in glboy Login with phone number
CVE-2024-6482 is a high-severity privilege escalation vulnerability in the WordPress plugin 'Login with phone number' by glboy, affecting all versions up to 1. 7. 49. The flaw arises from improper privilege management due to missing validation and capability checks in the 'lwp_update_password_action' function. Authenticated users with Subscriber-level access or higher can exploit this vulnerability to escalate their privileges to any role, including Administrator, without user interaction. Versions 1. 7. 40 to 1. 7. 49 require the Pro plugin to exploit the issue, while earlier versions are fully vulnerable.
AI Analysis
Technical Summary
CVE-2024-6482 is a critical privilege escalation vulnerability in the 'Login with phone number' WordPress plugin developed by glboy. The vulnerability stems from CWE-269: Improper Privilege Management, specifically a lack of validation and missing capability checks on user-supplied data within the 'lwp_update_password_action' function. This function handles password updates but fails to verify whether the requesting user has the appropriate permissions to change their user role. As a result, any authenticated user with at least Subscriber-level access can manipulate the function to elevate their privileges to any role, including Administrator. This effectively allows attackers to gain full control over the WordPress site. The vulnerability affects all plugin versions up to and including 1.7.49. A partial patch was introduced in version 1.7.40, but exploitation is still possible in versions 1.7.40 through 1.7.49 if the Pro plugin is installed. No authentication bypass or user interaction is required beyond having a valid Subscriber or higher account. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity with network attack vector, low attack complexity, and no user interaction needed. There are no known public exploits in the wild at this time, but the ease of exploitation and potential impact make it a significant threat to WordPress sites using this plugin.
Potential Impact
The vulnerability allows attackers with minimal privileges (Subscriber-level) to escalate their access to Administrator, granting full control over the affected WordPress site. This can lead to complete site takeover, including the ability to install malicious plugins, modify content, steal sensitive data, and disrupt site availability. The compromise of administrator accounts can also facilitate further lateral movement within an organization's network if the WordPress site is integrated with internal systems. Given WordPress's widespread use globally, sites using this plugin are at risk of severe confidentiality, integrity, and availability breaches. The lack of user interaction and low complexity of exploitation increase the likelihood of attacks once the vulnerability is known. Organizations relying on this plugin for user authentication via phone numbers face a critical risk that could undermine their entire web presence and trustworthiness.
Mitigation Recommendations
1. Immediately update the 'Login with phone number' plugin to a version later than 1.7.49 once a fixed release is available. 2. If an update is not yet available, disable the plugin or the vulnerable functionality to prevent exploitation. 3. Implement strict access control policies to restrict Subscriber-level accounts from accessing password update functions or role modification endpoints. 4. Monitor WordPress user role changes and audit logs for suspicious privilege escalations. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit the 'lwp_update_password_action' function. 6. Limit the installation of the Pro plugin to trusted users only, as it is required for exploitation in certain versions. 7. Educate site administrators on the risks of privilege escalation and encourage regular security reviews of user roles and plugin updates. 8. Consider additional hardening measures such as two-factor authentication and least privilege principles for all user accounts.
Affected Countries
United States, Germany, United Kingdom, India, Australia, Canada, France, Brazil, Japan, Netherlands, Italy, Spain
CVE-2024-6482: CWE-269 Improper Privilege Management in glboy Login with phone number
Description
CVE-2024-6482 is a high-severity privilege escalation vulnerability in the WordPress plugin 'Login with phone number' by glboy, affecting all versions up to 1. 7. 49. The flaw arises from improper privilege management due to missing validation and capability checks in the 'lwp_update_password_action' function. Authenticated users with Subscriber-level access or higher can exploit this vulnerability to escalate their privileges to any role, including Administrator, without user interaction. Versions 1. 7. 40 to 1. 7. 49 require the Pro plugin to exploit the issue, while earlier versions are fully vulnerable.
AI-Powered Analysis
Technical Analysis
CVE-2024-6482 is a critical privilege escalation vulnerability in the 'Login with phone number' WordPress plugin developed by glboy. The vulnerability stems from CWE-269: Improper Privilege Management, specifically a lack of validation and missing capability checks on user-supplied data within the 'lwp_update_password_action' function. This function handles password updates but fails to verify whether the requesting user has the appropriate permissions to change their user role. As a result, any authenticated user with at least Subscriber-level access can manipulate the function to elevate their privileges to any role, including Administrator. This effectively allows attackers to gain full control over the WordPress site. The vulnerability affects all plugin versions up to and including 1.7.49. A partial patch was introduced in version 1.7.40, but exploitation is still possible in versions 1.7.40 through 1.7.49 if the Pro plugin is installed. No authentication bypass or user interaction is required beyond having a valid Subscriber or higher account. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity with network attack vector, low attack complexity, and no user interaction needed. There are no known public exploits in the wild at this time, but the ease of exploitation and potential impact make it a significant threat to WordPress sites using this plugin.
Potential Impact
The vulnerability allows attackers with minimal privileges (Subscriber-level) to escalate their access to Administrator, granting full control over the affected WordPress site. This can lead to complete site takeover, including the ability to install malicious plugins, modify content, steal sensitive data, and disrupt site availability. The compromise of administrator accounts can also facilitate further lateral movement within an organization's network if the WordPress site is integrated with internal systems. Given WordPress's widespread use globally, sites using this plugin are at risk of severe confidentiality, integrity, and availability breaches. The lack of user interaction and low complexity of exploitation increase the likelihood of attacks once the vulnerability is known. Organizations relying on this plugin for user authentication via phone numbers face a critical risk that could undermine their entire web presence and trustworthiness.
Mitigation Recommendations
1. Immediately update the 'Login with phone number' plugin to a version later than 1.7.49 once a fixed release is available. 2. If an update is not yet available, disable the plugin or the vulnerable functionality to prevent exploitation. 3. Implement strict access control policies to restrict Subscriber-level accounts from accessing password update functions or role modification endpoints. 4. Monitor WordPress user role changes and audit logs for suspicious privilege escalations. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit the 'lwp_update_password_action' function. 6. Limit the installation of the Pro plugin to trusted users only, as it is required for exploitation in certain versions. 7. Educate site administrators on the risks of privilege escalation and encourage regular security reviews of user roles and plugin updates. 8. Consider additional hardening measures such as two-factor authentication and least privilege principles for all user accounts.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-03T16:05:30.839Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c04b7ef31ef0b55effd
Added to database: 2/25/2026, 9:39:16 PM
Last enriched: 2/26/2026, 3:11:57 AM
Last updated: 2/26/2026, 7:44:17 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.