What is the severity of CVE-2023-2706?

The severity of CVE-2023-2706 is rated as high with a CVSS score of 8.1.

How does CVE-2023-2706 impact WordPress websites?

CVE-2023-2706 allows for authentication bypass in the OTP Login Woocommerce & Gravity Forms plugin, potentially compromising user login security.

Is there a fix available for CVE-2023-2706?

At the moment, there is no official fix available for CVE-2023-2706. Users are advised to take precautionary measures and monitor for updates.

Vulnerability/
CVE-2023-2706

high

8.1

CWE

287

17/5/2023

2/8/2024

CVE-2023-2706

First published: Wed May 17 2023(Updated: )

The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for unauthenticated attackers to obtain login codes for administrators. This does require an attacker have access to the phone number configured for an account, which can be obtained via social engineering or reconnaissance.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
Xootix Otp Login Woocommerce \& Gravity Forms Wordpress	<2.3

Remedy

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2912731%40mobile-login-woocommerce&new=2912731%40mobile-login-woocommerce&sfp_email=&sfph_mail=

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-2706?
The severity of CVE-2023-2706 is rated as high with a CVSS score of 8.1.
How does CVE-2023-2706 impact WordPress websites?
CVE-2023-2706 allows for authentication bypass in the OTP Login Woocommerce & Gravity Forms plugin, potentially compromising user login security.
Is there a fix available for CVE-2023-2706?
At the moment, there is no official fix available for CVE-2023-2706. Users are advised to take precautionary measures and monitor for updates.

agent/references
agent/type
agent/first-publish-date
agent/last-modified-date
collector/nvd-index
agent/software-canonical-lookup-request
agent/severity
agent/remedy
agent/weakness
agent/author
agent/softwarecombine
agent/tags
agent/description
agent/event
collector/mitre-cve
source/MITRE
vendor/xootix
canonical/xootix otp login woocommerce \& gravity forms wordpress

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.