Authentication Bypass in WooCommerce OTP Login Plugin for WordPress
CVE-2025-8342

8.1HIGH

Key Information:

Vendor: WordPress
Status: WooCommerce Otp Login With Phone Number, Otp Verification
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-8342?

The WooCommerce OTP Login With Phone Number plugin for WordPress contains a vulnerability that allows unauthenticated attackers to bypass OTP verification. Due to insufficient validation of empty values in the lwp_ajax_register function, attackers can exploit this weakness by improperly handling Firebase API errors, particularly when the Firebase API key is not configured. This flaw enables unauthorized access to user accounts that utilize a phone number for authentication, posing significant risks to account security.

Affected Version(s)

WooCommerce OTP Login With Phone Number, OTP Verification * <= 1.8.47

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/login-with-pho...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Jul 30, 2025

Credit

Arkadiusz Hydzik