CVE-2025-8342 is a high-severity vulnerability affecting the WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress, developed by glboy. This plugin facilitates user authentication via one-time passwords (OTPs) sent to phone numbers, integrating Firebase API services for OTP verification. The vulnerability arises from insufficient validation of empty values in the lwp_ajax_register function across all plugin versions up to and including 1.8.47. Specifically, when the Firebase API key is not configured, improper error handling of Firebase API responses allows unauthenticated attackers to bypass OTP verification. This bypass enables attackers to gain administrative access to any user account that has a configured phone number. The root cause is a missing authorization check (CWE-862) that fails to properly verify the OTP or the legitimacy of the registration request. The vulnerability is remotely exploitable without authentication or user interaction, but requires a high attack complexity due to the need to exploit the Firebase API error handling flaw. The CVSS v3.1 score is 8.1, reflecting high impact on confidentiality, integrity, and availability, as attackers can fully compromise user accounts and potentially escalate privileges to administrative roles. No known exploits are currently reported in the wild, and no official patches have been published yet. However, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those relying on phone-based OTP authentication for user login and account security.

For European organizations, this vulnerability could lead to severe security breaches, including unauthorized administrative access to e-commerce platforms running WooCommerce with the vulnerable OTP plugin. Such access can result in data theft, manipulation of customer orders, financial fraud, and disruption of online sales operations. Given the widespread use of WooCommerce in Europe, especially among small and medium-sized enterprises (SMEs) in retail and services sectors, exploitation could undermine customer trust and lead to regulatory penalties under GDPR due to unauthorized access to personal data. The ability to bypass OTP verification also weakens multi-factor authentication mechanisms, increasing the risk of account takeover attacks. Additionally, attackers gaining admin privileges could deploy further malware or ransomware, amplifying operational and reputational damage. The absence of user interaction and authentication requirements for exploitation makes this vulnerability particularly dangerous for European organizations that rely on this plugin for secure user authentication.

European organizations using the WooCommerce OTP Login With Phone Number, OTP Verification plugin should immediately audit their WordPress installations to identify affected versions (up to 1.8.47). Until an official patch is released, organizations should consider disabling the plugin or replacing it with alternative OTP solutions that have verified security. Implementing strict configuration management to ensure the Firebase API key is properly set and validated can mitigate the improper error handling vector. Additionally, organizations should enforce strong access controls and monitor administrative account activities for suspicious behavior. Employing Web Application Firewalls (WAFs) with custom rules to detect and block anomalous AJAX requests targeting the lwp_ajax_register function can provide temporary protection. Regularly updating WordPress core and plugins, conducting penetration testing focused on authentication mechanisms, and educating administrators about this vulnerability are critical. Finally, organizations should prepare incident response plans to quickly address potential compromises stemming from this vulnerability.