CVE-2025-10484 in Registration & Login with Mobile Phone Number for WooCommerce Plugin
Summary
by MITRE • 01/17/2026
The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/18/2026
The vulnerability identified as CVE-2025-10484 affects the Registration & Login with Mobile Phone Number for WooCommerce plugin, a widely used WordPress extension that enables mobile phone number-based user authentication. This plugin facilitates user registration and login processes specifically through mobile phone numbers rather than traditional username and password combinations. The flaw exists in versions up to and including 1.3.1, representing a critical security weakness that undermines the fundamental authentication mechanisms of WordPress sites utilizing this plugin. The vulnerability stems from insufficient user identity verification within the plugin's core authentication logic, creating a pathway for malicious actors to bypass normal authentication procedures entirely.
The technical implementation of this vulnerability resides within the fma_lwp_set_session_php_fun() function, which serves as the primary authentication handler for the plugin. This function fails to properly validate user credentials or verify the legitimacy of authentication requests before establishing user sessions. The absence of proper authentication checks means that any attacker capable of accessing the plugin's authentication endpoints can create valid session tokens for arbitrary user accounts. This flaw operates at the session management level, allowing unauthorized access to user accounts including high-privilege administrator roles without requiring knowledge of valid passwords or other authentication factors. The vulnerability essentially creates a backdoor mechanism that bypasses all standard WordPress authentication controls.
The operational impact of this vulnerability is severe and far-reaching for affected WordPress installations. Unauthenticated attackers can leverage this flaw to gain complete administrative control over compromised sites, enabling them to modify content, install malicious plugins, access sensitive user data, and potentially use the compromised site as a launching point for further attacks within the broader network. The vulnerability affects all user accounts on the site, not just specific individuals, making it particularly dangerous for sites with multiple users including administrators, editors, and subscribers. This authentication bypass allows attackers to operate undetected while maintaining persistent access to the compromised system, potentially leading to data breaches, site defacement, or use as a command and control server.
Organizations affected by this vulnerability should immediately implement mitigation strategies to protect their WordPress installations. The primary recommendation is to update the plugin to the latest version where the authentication bypass has been addressed. System administrators should also implement additional security controls such as rate limiting on authentication endpoints, monitoring for unusual login patterns, and network-level restrictions on access to plugin directories. From a compliance perspective, this vulnerability aligns with CWE-287 which addresses improper authentication issues, and represents a significant concern under ATT&CK framework category T1078 for valid accounts and T1566 for credential harvesting techniques. Organizations should also conduct thorough security audits of their WordPress installations to identify any other potentially vulnerable plugins or themes that may present similar authentication bypass risks.