汇总 idehweb 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 SQL 注入、CSRF与文件包含 相关,可能在 生产负载与软件部署 场景中带来 文件覆盖与未授权访问 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2024-6482 | The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the 'lwp_update_password_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with pho | [email protected] | 8.8 | 0.47% | 2024-09-14 | 2026-06-17 |
| CVE-2024-37429 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.7.35. | [email protected] | 5.9 | 0.25% | 2024-07-22 | 2026-06-17 |
| CVE-2023-4916 | The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwp_update_password_action' function. This makes it possible for unauthenticated attackers to change user password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | [email protected] | 8.8 | 0.32% | 2023-09-12 | 2026-06-17 |
| CVE-2023-23492 | The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwp_forgot_password' action. | [email protected] | 8.8 | 57.40% | 2023-01-20 | 2026-06-17 |
| CVE-2022-0598 | The Login with phone number WordPress plugin before 1.3.8 does not sanitise and escape plugin settings which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | [email protected] | 4.8 | 0.56% | 2022-08-01 | 2026-06-17 |
| CVE-2022-0593 | The Login with phone number WordPress plugin before 1.3.7 includes a file delete.php with no form of authentication or authorization checks placed in the plugin directory, allowing unauthenticated user to remotely delete the plugin files leading to a potential Denial of Service situation. | [email protected] | 6.5 | 1.42% | 2022-03-14 | 2026-06-17 |