CVE-2025-8342 HIGH

CVE-2025-8342: WooCommerce OTP Login With Phone Number, OTP Verification <= 1.8.47 - Authentication Bypass

Vendor Glboy
Product OTP Login With Phone Number, OTP Verification
Weakness CWE-862 · Missing authorization
Published August 15, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.

Explanation of Vulnerability in Simple Terms

02Summary

The OTP Login With Phone Number plugin for WordPress versions 1.8.47 and earlier lacks proper authorization checks. An attacker can bypass authentication and gain unauthorized access to user accounts or administrative functions without needing valid credentials. The vulnerability requires specific network conditions to exploit but can result in full compromise of affected sites.

What an attacker can do

03Attacker Capabilities

Bypass login authentication and access user accounts or admin functions without valid credentials.

Potential impact on your site

04Site Impact

Attackers can take over user accounts or gain admin access, potentially compromising the entire site.

Conditions required to exploit

05Prerequisites

Network access to the site; no user interaction or authentication required.

Key dates

06Disclosure timeline

August 15, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE