CVE-2025-10484

Critical

Published: 17 January 2026

Published

17 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0045 63.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to…

authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires robust identification and authentication for users, directly addressing the plugin's failure to verify identity before authenticating via session function.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, preventing authentication bypass by ensuring access decisions are made post proper verification.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as patching the vulnerable WooCommerce plugin to eliminate the authentication bypass vulnerability.

Security SummaryAI

CVE-2025-10484 is an authentication bypass vulnerability in the Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress, affecting all versions up to and including 1.3.1. The flaw occurs because the plugin fails to properly verify a user's identity prior to authenticating them via the fma_lwp_set_session_php_fun() function, allowing attackers to gain unauthorized access.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables them to authenticate as any user on the site, including administrators, without a valid password, potentially leading to full site compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288.

Advisories from Wordfence provide threat intelligence on the issue, available at https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve. The plugin's product page at https://woocommerce.com/products/registration-login-with-mobile-phone-number/ offers additional details for affected users.

Details

CWE(s): CWE-288

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, enabling unauthenticated remote attackers to log in as any user including administrators, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://woocommerce.com/products/registration-login-with-mobile-phone-number/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve
security@wordfence.com