CVE-2025-10484
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authentication in the Registration & Login with Mobile Phone Number for WooCommerce WordPress plugin. Attackers can log in as any user, including administrators, without valid credentials. All WordPress sites using this plugin up to version 1.3.1 are affected.
💻 Affected Systems
- Registration & Login with Mobile Phone Number for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.
Likely Case
Attackers gain administrative privileges, modify site content, install malicious plugins/themes, or exfiltrate customer/user data.
If Mitigated
Limited impact if detected early, but still requires full incident response and cleanup.
🎯 Exploit Status
The vulnerability is in a specific function (fma_lwp_set_session_php_fun()) that doesn't properly verify user identity before authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.2 or later
Vendor Advisory: https://woocommerce.com/products/registration-login-with-mobile-phone-number/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Registration & Login with Mobile Phone Number for WooCommerce'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.3.2+ from WooCommerce.com and replace the plugin files.
🔧 Temporary Workarounds
Disable the vulnerable plugin
allTemporarily disable the plugin until it can be updated to a patched version.
wp plugin deactivate registration-login-with-mobile-phone-number-for-woocommerce
🧯 If You Can't Patch
- Immediately disable the Registration & Login with Mobile Phone Number plugin via WordPress admin or command line
- Implement web application firewall rules to block requests to the vulnerable fma_lwp_set_session_php_fun() function
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Registration & Login with Mobile Phone Number for WooCommerce → Version number. If version is 1.3.1 or lower, you are vulnerable.Check Version:
wp plugin get registration-login-with-mobile-phone-number-for-woocommerce --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 1.3.2 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication events from unexpected IPs
- Multiple failed login attempts followed by successful login without password reset
- Administrator logins from new locations
Network Indicators:
- HTTP POST requests to WordPress admin-ajax.php or wp-login.php with unusual parameters
- Requests containing 'fma_lwp_set_session_php_fun' in URL or payload
SIEM Query:
source="wordpress_logs" AND (event="authentication" AND result="success" AND (user_agent="*" OR src_ip NOT IN [allowed_ips]))