WordPress Plugin Vulnerabilities

Registration & Login with Mobile Phone Number for WooCommerce < 1.3.2 - Authentication Bypass

Description

The plugin is vulnerable to Authentication Bypass due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.

Affects Plugins

Plugin icon
registration-login-with-mobile-phone-number
Fixed in 1.3.2

References

CVE
CVE-2025-10484
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
vpetr
Verified
No
WPVDB ID
9aae1826-9e12-42b2-8051-abb89d9bb6b1

Timeline

Publicly Published
2026-01-16 (about 2 months ago)
Added
2026-01-19 (about 2 months ago)
Last Updated
2026-01-19 (about 2 months ago)

Other

Published
Title
Published
2025-02-28
Title
SetSail Membership < 1.1 - Authentication Bypass
Published
2025-12-12
Title
Ninja Forms < 3.13.3 - Unauthenticated Token Generation and Submission Disclosure
Published
2024-10-25
Title
Acnoo Flutter API <= 1.0.5 - Authentication Bypass
Published
2025-04-03
Title
Booking Calendar and Notification <= 4.0.3 - Authentication Bypass
Published
2016-01-19
Title
Simple Download Monitor <= 3.2.8 - Insufficient Authorisation