CVE-2025-10484 Overview
CVE-2025-10484 is a critical authentication bypass vulnerability affecting the Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress. The vulnerability exists in all versions up to and including 1.3.1, allowing unauthenticated attackers to bypass authentication mechanisms and gain access to any user account on the site, including administrator accounts, without providing valid credentials.
Critical Impact
Unauthenticated attackers can authenticate as any user, including administrators, enabling complete site takeover without a valid password.
Affected Products
- Registration & Login with Mobile Phone Number for WooCommerce plugin versions up to and including 1.3.1
- WordPress installations running the affected plugin
- WooCommerce stores utilizing mobile phone number authentication
Discovery Timeline
- 2026-01-17 - CVE CVE-2025-10484 published to NVD
- 2026-01-17 - Last updated in NVD database
Technical Details for CVE-2025-10484
Vulnerability Analysis
This authentication bypass vulnerability (CWE-288: Authentication Bypass Using an Alternate Path or Channel) stems from improper identity verification within the plugin's authentication workflow. The fma_lwp_set_session_php_fun() function fails to adequately verify a user's identity before establishing an authenticated session. This fundamental flaw in the authentication logic allows attackers to circumvent the normal login process entirely.
The vulnerability is particularly severe because it requires no prior authentication, no user interaction, and can be exploited remotely over the network. An attacker can target any user account on the WordPress installation, from regular subscribers to administrators, gaining their full privileges without knowing their credentials.
Root Cause
The root cause of CVE-2025-10484 lies in the fma_lwp_set_session_php_fun() function's failure to properly validate user identity before creating authenticated sessions. The plugin does not implement sufficient verification checks to ensure that the requesting party is actually the legitimate owner of the account being accessed. This represents a critical oversight in the authentication architecture, where session establishment occurs without proper credential validation.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Identifying a target WordPress site running the vulnerable plugin version
- Crafting malicious requests that exploit the improper identity verification in fma_lwp_set_session_php_fun()
- Bypassing the authentication mechanism to establish a session as any user
- Gaining full access to the targeted account, including administrative privileges if an admin account is targeted
The vulnerability can be exploited remotely without authentication, making it particularly dangerous for public-facing WordPress/WooCommerce installations.
For detailed technical analysis, refer to the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2025-10484
Indicators of Compromise
- Unexpected administrative sessions or logins from unknown IP addresses
- User account access without corresponding valid authentication logs
- Anomalous activity in WooCommerce admin panels or customer accounts
- Multiple session creations for high-privilege accounts without password verification events
Detection Strategies
- Monitor WordPress authentication logs for session establishments that bypass normal password verification
- Implement web application firewall (WAF) rules to detect exploitation attempts targeting the fma_lwp_set_session_php_fun() function
- Review access logs for suspicious patterns of account access, especially for administrative accounts
- Deploy SentinelOne Singularity to detect and alert on anomalous authentication behavior
Monitoring Recommendations
- Enable detailed logging for all authentication events in WordPress
- Configure alerts for administrative account access from new or unusual IP addresses
- Monitor for changes to user roles or permissions that may indicate privilege escalation
- Implement session monitoring to detect unauthorized session creation
How to Mitigate CVE-2025-10484
Immediate Actions Required
- Update the Registration & Login with Mobile Phone Number for WooCommerce plugin to a patched version immediately
- Audit all user accounts for unauthorized access or privilege changes
- Review administrative account activity logs for signs of compromise
- Consider temporarily disabling the plugin until a patch can be applied
Patch Information
Site administrators should check the WooCommerce Product Page for the latest version that addresses this vulnerability. All versions up to and including 1.3.1 are affected and should be updated immediately. Organizations should prioritize this update due to the critical severity and ease of exploitation.
Workarounds
- Temporarily disable the Registration & Login with Mobile Phone Number for WooCommerce plugin until patched
- Implement IP-based access restrictions to the WordPress admin panel
- Enable two-factor authentication (2FA) for all administrative accounts as an additional security layer
- Deploy a web application firewall with rules to block exploitation attempts
# WordPress CLI command to deactivate the vulnerable plugin
wp plugin deactivate registration-login-with-mobile-phone-number --path=/var/www/html/wordpress
# Verify plugin status
wp plugin list --path=/var/www/html/wordpress | grep mobile-phone
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
