{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8342", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-30T08:58:29.280Z", "datePublished": "2025-08-15T02:24:22.094Z", "dateUpdated": "2026-04-08T16:59:41.038Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:41.038Z"}, "affected": [{"vendor": "glboy", "product": "OTP Login With Phone Number, OTP Verification", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.8.47", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured."}], "title": "WooCommerce OTP Login With Phone Number, OTP Verification <= 1.8.47 - Authentication Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e74582f-8e94-4cba-a3eb-0a823a5235ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4373"}, {"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4358"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338150%40login-with-phone-number&new=3338150%40login-with-phone-number&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Arkadiusz Hydzik"}], "timeline": [{"time": "2025-07-18T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-08-01T01:45:21.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-08-14T13:55:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T12:44:21.660059Z", "id": "CVE-2025-8342", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T12:44:28.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8342", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-15T12:44:21.660059Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T12:44:24.187Z"}}], "cna": {"title": "WooCommerce OTP Login With Phone Number, OTP Verification <= 1.8.47 - Authentication Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Arkadiusz Hydzik"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "glboy", "product": "OTP Login With Phone Number, OTP Verification", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.8.47"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-18T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-08-01T01:45:21.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-08-14T13:55:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e74582f-8e94-4cba-a3eb-0a823a5235ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4373"}, {"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4358"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338150%40login-with-phone-number&new=3338150%40login-with-phone-number&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:41.038Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8342", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:41.038Z", "dateReserved": "2025-07-30T08:58:29.280Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-15T02:24:22.094Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured."}, {"lang": "es", "value": "El complemento WooCommerce OTP Login With Phone Number, OTP Verification para WordPress es vulnerable a la omisi\u00f3n de la autenticaci\u00f3n debido a una comprobaci\u00f3n insuficiente de valores vac\u00edos en la funci\u00f3n lwp_ajax_register en todas las versiones hasta la 1.8.47 incluida. Esto permite a atacantes no autenticados omitir la verificaci\u00f3n OTP y obtener acceso administrativo a cualquier cuenta de usuario con un n\u00famero de tel\u00e9fono configurado, aprovechando la gesti\u00f3n incorrecta de errores de la API de Firebase cuando la clave de la API de Firebase no est\u00e1 configurada."}], "id": "CVE-2025-8342", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-15T03:15:36.877", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4358"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.47/login-with-phonenumber.php#L4373"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3338150%40login-with-phone-number&new=3338150%40login-with-phone-number&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e74582f-8e94-4cba-a3eb-0a823a5235ad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:34:57.739193+00:00", "value": {"mitigation_remediation": ["Upgrade the \"Login with Phone Number, OTP Verification\" plugin to the latest version that contains the fix for the authentication bypass.", "If an upgrade is temporarily unavailable, configure a Firebase API key in the plugin\u2019s settings to disable the vulnerable error\u2011handling path.", "Remove or deactivate the plugin entirely until a patched version is released to eliminate the bypass risk."], "summary": {"action": "Patch Immediately", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Affected are all installations of the glboy \"Login with Phone Number, OTP Verification\" plugin up to and including version 1.8.47. Users running this WordPress plugin, often in WooCommerce sites, and whose Firebase API key is not set, are impacted.", "description_and_impact": "The vulnerability exists in the WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress. It arises from insufficient validation of empty values in the lwp_ajax_register function, leading to improper error handling of the Firebase API when the API key is not configured. As a result, unauthenticated attackers can bypass OTP verification and gain administrative access to any user account that has a configured phone number. This flaw falls under CWE\u2011862, Missing Authorization, and enables a complete disruption of authentication controls.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.1, indicating high severity, but the EPSS score is below 1\u202f%, showing a low probability of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector is remote and unauthenticated, where an attacker sends a crafted AJAX request to the lwp_ajax_register endpoint and triggers the bypass by exploiting the absent API key configuration. Successful exploitation results in immediate, privileged access to protected user accounts."}}}}, "created": "2025-08-16T21:40:58.654466+00:00", "updated": "2026-04-21T03:45:27.373184+00:00", "vendors": ["woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}