CVE-2025-69052 in Registration & Login with Mobile Phone Number for WooCommerce Plugin
Summary
by MITRE • 01/22/2026
Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/28/2026
The vulnerability identified as CVE-2025-69052 represents a critical missing authorization flaw within the FmeAddons Registration & Login with Mobile Phone Number for WooCommerce plugin. This security weakness stems from incorrectly configured access control security levels that permit unauthorized exploitation of the authentication system. The vulnerability specifically impacts versions of the plugin ranging from the initial release through version 1.3.1, creating a window of opportunity for attackers to bypass intended security measures. The issue manifests in the plugin's handling of user registration and login processes, particularly when mobile phone number authentication is utilized as the primary identification method.
The technical flaw resides in the plugin's failure to properly validate user permissions and authorization levels during the registration and login workflows. This misconfiguration allows malicious actors to manipulate the authentication process and potentially gain unauthorized access to user accounts or system resources. The vulnerability operates at the application level and directly impacts the integrity of the user authentication mechanism, which is fundamental to any web application's security posture. Attackers can exploit this weakness to bypass normal access controls that should restrict certain actions to authenticated users or administrators only.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it can enable more sophisticated attacks including account takeover, data exfiltration, and potential privilege escalation within the affected WooCommerce environment. The mobile phone number authentication system becomes compromised, allowing attackers to register new accounts or manipulate existing ones without proper authorization. This vulnerability is particularly concerning in e-commerce environments where user data, transaction information, and personal details are stored. The attack surface is further expanded due to the plugin's integration with WooCommerce's core functionality, potentially allowing exploitation of the vulnerability to affect the entire online store infrastructure.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the authorization flaw, as well as implementing additional security controls such as rate limiting for registration attempts and enhanced monitoring of authentication activities. Organizations should conduct thorough security assessments of their WooCommerce installations to identify any other plugins or components that may be similarly affected. The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and represents a clear violation of the principle of least privilege in access control. From an ATT&CK framework perspective, this vulnerability maps to techniques involving privilege escalation and credential access, potentially enabling attackers to move laterally within the compromised system. Security teams should also consider implementing network-level protections and ensuring that all user-facing authentication endpoints are properly secured against unauthorized access attempts.