CVE-2025-10484
BaseFortify
Publication date: 2026-01-17
Last updated on: 2026-01-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fmeaddons | registration_login_with_mobile_phone_number | to 1.3.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the WooCommerce Registration & Login with Mobile Phone Number plugin for WordPress allows unauthenticated attackers to bypass authentication. This happens because the plugin does not properly verify a user's identity before authenticating them via the fma_lwp_set_session_php_fun() function. As a result, attackers can log in as any user on the site, including administrators, without needing a valid password.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to authenticate as any user, including administrators, without valid credentials. This can lead to unauthorized access to sensitive data, full control over the website, potential data theft, site defacement, or other malicious activities that compromise the integrity, confidentiality, and availability of the site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Registration & Login with Mobile Phone Number for WooCommerce plugin to a version later than 1.3.1 where the authentication bypass issue is fixed. If an update is not yet available, consider disabling the plugin until a patch is released to prevent unauthenticated attackers from exploiting the authentication bypass vulnerability.