The vulnerability identified as CVE-2025-10484 affects the Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress, specifically all versions up to and including 1.3.1. The core issue is an authentication bypass (CWE-288) caused by improper verification of user identity before session establishment. The vulnerable function, fma_lwp_set_session_php_fun(), is responsible for setting the user session but does not adequately confirm that the user attempting to authenticate is legitimate. This flaw enables an unauthenticated attacker to bypass normal login procedures and gain access as any user on the site, including high-privilege administrator accounts, without supplying a valid password or any credentials. The vulnerability is remotely exploitable over the network without any user interaction or prior privileges, making it highly accessible to attackers. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with impacts rated high on confidentiality, integrity, and availability, meaning attackers can fully compromise the affected system. Although no known exploits have been publicly reported, the simplicity of exploitation and the widespread use of WooCommerce and its plugins suggest a high risk of future exploitation. The vulnerability poses a serious threat to the security of e-commerce websites relying on this plugin for user authentication via mobile phone numbers, potentially leading to unauthorized access, data theft, defacement, or further compromise of the hosting environment.

For European organizations, this vulnerability presents a severe risk to e-commerce platforms using WooCommerce with the affected plugin. Unauthorized access to administrator accounts can lead to full site compromise, including theft of customer data, manipulation of orders, injection of malicious code, and disruption of services. This can result in significant financial losses, reputational damage, and non-compliance with GDPR and other data protection regulations due to unauthorized data exposure. The ease of exploitation and the critical impact on confidentiality, integrity, and availability make this vulnerability particularly dangerous. Organizations operating in sectors with high online transaction volumes, such as retail, finance, and healthcare, are especially vulnerable. The potential for attackers to impersonate legitimate users also increases the risk of fraudulent transactions and identity theft. Given the plugin’s role in authentication, exploitation could undermine trust in the entire e-commerce platform, affecting customer confidence and business continuity.

Immediate mitigation involves updating the Registration & Login with Mobile Phone Number for WooCommerce plugin to a patched version once released by the vendor. Until a patch is available, organizations should consider disabling the plugin to prevent exploitation. Implementing additional authentication controls, such as multi-factor authentication (MFA), can reduce the risk of unauthorized access even if the vulnerability is exploited. Monitoring web server and application logs for unusual login activity or session anomalies can help detect exploitation attempts early. Restricting access to the WordPress admin area by IP whitelisting or VPN can limit attacker reach. Employing a Web Application Firewall (WAF) with custom rules to detect and block suspicious requests targeting the vulnerable function may provide temporary protection. Regular security audits and penetration testing focused on authentication mechanisms are recommended to identify and remediate similar issues proactively. Finally, educating site administrators about the risks and signs of compromise can improve incident response readiness.