Vulnerabilities and security researches formobile-login-woocommerce mobile-login-woocommerce

Jun 06, 2024

CVE, Research URL: 0945d4c39609a471ea33f7e0b6d32b6531a27061
Home page URL: Security reports for OTP Login Woocommerce (Login with OTP)
Application: OTP Login Woocommerce (Login with OTP)
Date: May 26, 2022
Research Description: OTP Login Woocommerce (Login with OTP) [mobile-login-woocommerce] < 2.1 OTP Login Woocommerce & Gravity Forms <= 2.0 - Cross-Site Scripting The plugin OTP Login Woocommerce & Gravity Forms for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.1.
Status: vulnerable

CVE, Research URL: CVE-2023-2706
Home page URL: Security reports for OTP Login Woocommerce (Login with OTP)
Application: OTP Login Woocommerce (Login with OTP)
Date: May 17, 2023
Research Description: The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for unauthenticated attackers to obtain login codes for administrators. This does require an attacker have access to the phone number configured for an account, which can be obtained via social engineering or reconnaissance.
Affected versions: max 2.3.
Status: vulnerable