Authentication Bypass in WooCommerce OTP Login Plugin for WordPress
CVE-2025-8342

8.1HIGH

Key Information:

Vendor

WordPress
Status
WooCommerce Otp Login With Phone Number, Otp Verification
Vendor
CVE Published:
15 August 2025

What is CVE-2025-8342?

The WooCommerce OTP Login With Phone Number plugin for WordPress contains a vulnerability that allows unauthenticated attackers to bypass OTP verification. Due to insufficient validation of empty values in the lwp_ajax_register function, attackers can exploit this weakness by improperly handling Firebase API errors, particularly when the Firebase API key is not configured. This flaw enables unauthorized access to user accounts that utilize a phone number for authentication, posing significant risks to account security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WooCommerce OTP Login With Phone Number, OTP Verification * <= 1.8.47

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/login-with-pho...
https://plugins.trac.wordpress.org/browser/login-with-pho...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadiusz Hydzik
JSON
.