CVE-2023-2706: 
WordPress vulnerability analysis and mitigation

The OTP Login Woocommerce & Gravity Forms plugin for WordPress (versions up to 2.2) contains an authentication bypass vulnerability (CVE-2023-2706) discovered in May 2023. The vulnerability affects the plugin's OTP code generation mechanism for user login via phone number, where the codes are exposed in AJAX responses (NVD).

The vulnerability stems from an implementation flaw where OTP codes generated for user authentication are returned in AJAX responses. This exposes the codes to potential attackers, who could intercept them and gain unauthorized access. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high-severity issue with network attack vector and no privileges required (NVD).

If successfully exploited, this vulnerability allows unauthenticated attackers to obtain login codes for administrator accounts. The primary prerequisite is that the attacker must have access to the phone number configured for the target account, which could be obtained through social engineering or reconnaissance (NVD).

Users should upgrade to version 2.3 or later of the OTP Login Woocommerce & Gravity Forms plugin, which contains fixes for this vulnerability (NVD).