CVE-2023-4916 – This CSRF vulnerability in the WordPress Login ... (How to Fix)

Q: What is the severity of CVE-2023-4916?

CVE-2023-4916 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in the WordPress Login with phone number plugin allows unauthenticated attackers to change user passwords by tricking administrators into clicking malicious links. All WordPress sites using vulnerable plugin versions are affected, potentially leading to account takeover.

📋 TL;DR

This CSRF vulnerability in the WordPress Login with phone number plugin allows unauthenticated attackers to change user passwords by tricking administrators into clicking malicious links. All WordPress sites using vulnerable plugin versions are affected, potentially leading to account takeover.

💻 Affected Systems

Products:

WordPress Login with phone number plugin

Versions: All versions up to and including 1.5.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires plugin to be installed and active. WordPress multisite installations may be affected across all sites.

📦 What is this software?

Login With Phone Number by Idehweb

View all CVEs affecting Login With Phone Number →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Site administrator account compromise leading to complete website takeover, data theft, malware injection, or site defacement.

🟠

Likely Case

Privileged user account compromise enabling content manipulation, plugin/theme installation, or data access.

🟢

If Mitigated

No impact if proper CSRF protections are in place or plugin is updated/disabled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick authenticated users into clicking malicious links or visiting compromised sites.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.7 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/login-with-phonenumber.php?rev=2967707

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Login with phone number' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.5.7+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Login with phone number plugin until patched

wp plugin deactivate login-with-phone-number

Implement CSRF protection middleware

all

Add WordPress nonce validation to all form submissions

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block CSRF attacks targeting password reset endpoints
Restrict admin panel access to specific IP addresses or VPN-only connections

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Login with phone number → Version. If version is 1.5.6 or lower, you are vulnerable.

Check Version:

wp plugin get login-with-phone-number --field=version

Verify Fix Applied:

Verify plugin version is 1.5.7 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple password change requests from same IP without corresponding login
POST requests to /wp-admin/admin-ajax.php with action=lwp_update_password_action

Network Indicators:

Unusual outbound connections after admin visits
CSRF payloads in HTTP referer headers

SIEM Query:

source="wordpress.log" AND ("lwp_update_password_action" OR "password changed" AND NOT "user logged in")

📊 Metadata

CVE ID: CVE-2023-4916

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: September 13, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON