CVE-2024-37429 in Login with Phone Number Plugin
Summary
by MITRE • 07/22/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hamid Alinia Login with phone number login-with-phone-number.This issue affects Login with phone number: from n/a through <= 1.7.35.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/02/2026
The vulnerability identified as CVE-2024-37429 represents a critical cross-site scripting flaw within the Login with phone number plugin developed by Hamid Alinia. This security weakness manifests in the improper neutralization of input during web page generation processes, creating an avenue for malicious actors to inject and execute arbitrary script code within the context of affected web applications. The vulnerability specifically impacts versions of the plugin ranging from the initial release through version 1.7.35, indicating a substantial attack surface that requires immediate attention from system administrators and security practitioners.
The technical nature of this flaw aligns with CWE-79, which categorizes cross-site scripting vulnerabilities as improper neutralization of input during web page generation. The vulnerability occurs when user-supplied input containing malicious scripts is not properly sanitized or escaped before being rendered in web pages. In the context of a phone number login system, this could occur when phone numbers containing specially crafted payloads are processed and displayed without adequate input validation. Attackers could exploit this weakness by submitting malicious input through the phone number field, which would then be reflected in generated web pages and executed in the browsers of other users who view these pages.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform session hijacking, steal user credentials, redirect users to malicious sites, or execute unauthorized actions within the affected applications. The attack surface is particularly concerning given that this affects a login plugin, which typically handles sensitive user authentication data. An attacker could leverage this vulnerability to capture login sessions, manipulate user permissions, or gain unauthorized access to protected application features. The reflected nature of the XSS vulnerability means that malicious scripts would execute in the context of the victim's browser, potentially allowing for complete compromise of user sessions and sensitive data exposure.
Mitigation strategies for CVE-2024-37429 should prioritize immediate patching of the affected plugin to version 1.7.36 or later, as this would address the underlying input sanitization issues. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent malicious scripts from being executed in web page contexts. The implementation of Content Security Policy headers can provide additional defense-in-depth measures, while regular security audits of web applications should include thorough testing for XSS vulnerabilities. Security practitioners should also consider implementing web application firewalls to detect and block suspicious input patterns. According to ATT&CK framework category T1566, this vulnerability falls under the Initial Access phase, specifically targeting the exploitation of web application vulnerabilities to establish malicious footholds within target environments. Organizations should conduct comprehensive vulnerability assessments to identify other potential XSS vectors within their web applications and ensure that all user-supplied input undergoes proper sanitization and validation processes before being processed or displayed in web interfaces.