Primary

Context

WooCommerce OTP Login With Phone Number, Authentication Bypass Vulnerability

Vulnerability

A vulnerability allowing authentication bypass has been identified in the WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress, affecting all versions through 1.8.47. The issue arises from inadequate validation of empty values in the lwp_ajax_register function, which enables unauthenticated attackers to bypass OTP verification. Exploitation of this vulnerability can lead to unauthorized administrative access on user accounts with a registered phone number, by taking advantage of flawed error handling in the Firebase API when the Firebase API key is not set up.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized users to gain administrative access to accounts with a registered phone number.

Remediation

Users are advised to update the WooCommerce OTP Login With Phone Number, OTP Verification plugin to version 1.8.48 or later.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.3

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.1

remediation

7.7

relevance

0.3

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WooCommerce OTP Login With Phone Number, Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating