CVE-2023-23492: 
WordPress vulnerability analysis and mitigation

The Login with Phone Number WordPress Plugin, version < 1.4.2, is affected by an authenticated SQL injection vulnerability in the 'ID' parameter of its 'lwpforgotpassword' action (NVD, CVE). The vulnerability was discovered and reported by Joshua Martinelle of Tenable Research, with the CVE being assigned on January 12, 2023 (Tenable Research).

The vulnerability exists in the 'ID' parameter of the 'lwpforgotpassword' action, which is used in the response without proper filtering. Although the response is encoded in JSON, the Content-Type of the response is text/html, which enables the exploitation of the vulnerability. The vulnerable code is present in the './login-with-phonenumber.php' file in the 'lwpforgotpassword()' function. The vulnerability has a CVSS v3.1 Base Score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Tenable Research).

If exploited, this vulnerability could allow an authenticated attacker to perform SQL injection attacks, potentially leading to unauthorized access to sensitive data, modification of database contents, and compromise of the application's integrity (NVD).

The vulnerability has been fixed in version 1.4.2 of the Login with Phone Number WordPress Plugin. Users are advised to update to this version or later to mitigate the risk (Tenable Research).