Cyber Resilience

CVE-2024-32832

Critical

Published: 31 August 2025

Published
31 August 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-32832 is a critical-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-32832 is a missing authorization vulnerability, classified under CWE-862, in the WordPress plugin "Login with phone number" developed by Hamid Alinia. The issue affects all versions of the plugin from its initial release through 1.6.93. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts across confidentiality, integrity, and availability.

The vulnerability enables exploitation by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation allows attackers to bypass authorization checks, potentially granting unauthorized access to sensitive functions within the plugin and leading to severe compromise of affected WordPress sites.

Patchstack's advisory documents the broken access control vulnerability specific to the "Login with phone number" plugin version 1.6.93 and provides details on mitigation, available at https://patchstack.com/database/Wordpress/Plugin/login-with-phone-number/vulnerability/wordpress-login-with-phone-number-plugin-1-6-93-broken-access-control-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.6.93.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct missing authorization (broken access control) in public-facing WordPress plugin enables remote unauthenticated exploitation of the application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing exploitation of the missing authorization vulnerability in the plugin.

prevent

Requires identification, reporting, and correction of system flaws like this missing authorization issue, mitigating it through timely patching.

prevent

Employs least privilege to restrict unauthorized access to only necessary functions, limiting the impact of the authorization bypass.

References