CVE-2025-10484 is a critical security vulnerability affecting the Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress, present in all versions up to and including 1.3.1. The vulnerability is classified under CWE-288, which involves authentication bypass using an alternate path or channel. Specifically, the plugin's function fma_lwp_set_session_php_fun() does not properly verify the identity of users before authenticating them. This flaw allows an unauthenticated attacker to bypass normal authentication mechanisms and gain access as any user on the WordPress site, including high-privilege administrator accounts, without providing a valid password or any credentials. The vulnerability is remotely exploitable over the network without any user interaction or privileges required, as indicated by the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N. The impact on confidentiality, integrity, and availability is severe, as attackers can fully compromise the website, manipulate content, steal sensitive data, or deploy further malware. No patches or official fixes are currently linked, and no known exploits have been publicly reported yet. However, the critical nature of this vulnerability demands immediate attention from site administrators using this plugin, especially those operating e-commerce platforms via WooCommerce, where customer trust and data protection are paramount.

The potential impact of CVE-2025-10484 is extremely high for organizations worldwide that use the affected plugin. Successful exploitation allows attackers to fully compromise WordPress sites by logging in as any user, including administrators, without authentication. This can lead to unauthorized data access, modification or deletion of website content, theft of customer information, insertion of malicious code or backdoors, disruption of e-commerce operations, and reputational damage. For WooCommerce-based online stores, this could result in financial losses, regulatory penalties due to data breaches, and loss of customer trust. The vulnerability's ease of exploitation and lack of required user interaction increase the likelihood of automated attacks and widespread abuse. Organizations that do not promptly address this vulnerability risk complete site takeover and long-term operational and security consequences.

1. Immediately disable or remove the Registration & Login with Mobile Phone Number for WooCommerce plugin until a security patch is released. 2. Monitor official vendor channels and WordPress plugin repositories for updates or patches addressing CVE-2025-10484 and apply them as soon as available. 3. Implement additional authentication controls such as multi-factor authentication (MFA) at the WordPress login level to reduce risk. 4. Restrict access to the WordPress admin dashboard by IP whitelisting or VPN where feasible. 5. Conduct thorough audits of user accounts and sessions to detect unauthorized access or suspicious activity. 6. Review and harden WordPress security configurations, including limiting plugin installations to trusted sources only. 7. Maintain regular backups of website data and configurations to enable rapid recovery in case of compromise. 8. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious authentication bypass attempts targeting this plugin. 9. Educate site administrators about the risks and signs of exploitation related to this vulnerability. 10. Consider alternative, well-maintained plugins for mobile phone number login functionality with verified security track records.