WordPress OTP Login With Phone Number Plugin Authentication Bypass Vulnerability

A vulnerability allowing authentication bypass has been identified in the OTP Login With Phone Number, OTP Verification plugin for WordPress, specifically in versions 1.8.50 to 1.8.60. The issue arises in the `lwp_ajax_register` AJAX handler, where the Firebase verification flow fails to properly associate the Firebase session with the phone number provided in the request. Although the `idehweb_lwp_activate_through_firebase()` function verifies the legitimacy of a Firebase OTP session, it does not compare the `phoneNumber` returned by Firebase with the victim's stored phone number. This oversight enables unauthenticated attackers to authenticate as any user with a phone number in user meta, including administrators, by validating their own Firebase session and entering the victim's phone number in the same request.

Impact

Exploitation of this vulnerability allows for unauthorized authentication, potentially granting access to sensitive user accounts, including those of administrators.

Reproduction

To reproduce this vulnerability, send a request to the `lwp_ajax_register` AJAX handler with a valid Firebase verification ID and code, along with a phone number that belongs to a user with an account on the WordPress site. The request will bypass authentication checks and log in as the specified user.

Remediation

Users are advised to update the OTP Login With Phone Number, OTP Verification plugin to version 1.8.61 or later, where this vulnerability has been addressed.