CVE-2024-32832
Published: 31 August 2025
Summary
CVE-2024-32832 is a critical-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-32832 is a missing authorization vulnerability, classified under CWE-862, in the WordPress plugin "Login with phone number" developed by Hamid Alinia. The issue affects all versions of the plugin from its initial release through 1.6.93. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts across confidentiality, integrity, and availability.
The vulnerability enables exploitation by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation allows attackers to bypass authorization checks, potentially granting unauthorized access to sensitive functions within the plugin and leading to severe compromise of affected WordPress sites.
Patchstack's advisory documents the broken access control vulnerability specific to the "Login with phone number" plugin version 1.6.93 and provides details on mitigation, available at https://patchstack.com/database/Wordpress/Plugin/login-with-phone-number/vulnerability/wordpress-login-with-phone-number-plugin-1-6-93-broken-access-control-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-30618
Vulnerability details
Missing Authorization vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.6.93.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct missing authorization (broken access control) in public-facing WordPress plugin enables remote unauthenticated exploitation of the application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to information and system resources, directly preventing exploitation of the missing authorization vulnerability in the plugin.
Requires identification, reporting, and correction of system flaws like this missing authorization issue, mitigating it through timely patching.
Employs least privilege to restrict unauthorized access to only necessary functions, limiting the impact of the authorization bypass.