The vulnerability identified as CVE-2025-10484 affects the 'Registration & Login with Mobile Phone Number for WooCommerce' plugin developed by FmeAddons for WordPress. This plugin facilitates user registration and login via mobile phone numbers. The security flaw is an authentication bypass categorized under CWE-288, which occurs because the plugin fails to properly verify a user's identity before authenticating them through the function fma_lwp_set_session_php_fun(). This improper verification allows an attacker with no prior authentication or user interaction to impersonate any user on the site, including those with administrative privileges. The vulnerability affects all versions up to and including 1.3.1. The CVSS v3.1 score is 9.8 (critical), reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality (C:H), integrity (I:H), and availability (A:H). This means an attacker can remotely exploit the vulnerability without any credentials or user action, leading to full compromise of the affected WordPress site. Although no public exploits are currently reported, the severity and ease of exploitation make this a high-risk vulnerability. The plugin is widely used in WooCommerce environments, which are popular for e-commerce websites, making the potential impact significant. The vulnerability could lead to unauthorized access, data theft, site defacement, or complete control over the affected systems.

For European organizations, especially those operating e-commerce platforms using WooCommerce with this vulnerable plugin, the impact is severe. Successful exploitation allows attackers to bypass authentication controls and gain unauthorized access to user accounts, including administrators. This can lead to data breaches involving personal customer information, payment data, and business-sensitive information. Attackers could manipulate product listings, alter transaction records, or disrupt service availability, causing financial loss and reputational damage. Regulatory compliance risks are also heightened, as unauthorized access to personal data may violate GDPR requirements, potentially resulting in significant fines. The ease of exploitation and lack of required user interaction increase the likelihood of attacks, making it critical for organizations to act swiftly. Additionally, the compromise of administrative accounts could facilitate further lateral movement within the organization's infrastructure, escalating the overall security risk.

1. Immediately monitor for updates from FmeAddons and apply any security patches addressing CVE-2025-10484 as soon as they become available. 2. If patches are not yet released, consider temporarily disabling the 'Registration & Login with Mobile Phone Number for WooCommerce' plugin to prevent exploitation. 3. Implement enhanced logging and monitoring of login activities, focusing on unusual or suspicious authentication attempts, especially those involving mobile phone number logins. 4. Enforce multi-factor authentication (MFA) on WordPress administrator accounts to add an additional layer of security beyond the vulnerable plugin. 5. Conduct a thorough audit of user accounts and sessions to detect any unauthorized access or changes. 6. Educate site administrators about the vulnerability and the importance of rapid response to suspicious activity. 7. Review and restrict plugin permissions and access to minimize potential damage if exploitation occurs. 8. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block exploitation attempts targeting the vulnerable function. 9. Regularly back up site data and configurations to enable rapid recovery in case of compromise.