CVE-2025-8342 is an authentication bypass vulnerability classified under CWE-862 (Missing Authorization) found in the WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress, developed by glboy. The vulnerability exists in all versions up to and including 1.8.47. Specifically, the issue arises from insufficient validation of empty values in the lwp_ajax_register function, which handles AJAX registration requests. When the Firebase API key is not configured, the plugin improperly handles Firebase API errors, allowing unauthenticated attackers to bypass the OTP verification mechanism. This bypass enables attackers to gain administrative access to any user account that has a phone number configured for OTP login. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector and high attack complexity. Although no public exploits are known yet, the flaw’s nature and ease of exploitation pose a significant risk to WordPress sites using this plugin. The vulnerability compromises the core authentication process, potentially allowing full administrative control over affected WordPress installations.

The impact of CVE-2025-8342 is severe for organizations using the affected WooCommerce OTP Login plugin. Successful exploitation grants attackers administrative access to WordPress sites, enabling them to modify content, steal sensitive data, install malware, or disrupt services. This can lead to data breaches, loss of customer trust, financial losses, and damage to brand reputation. E-commerce sites using WooCommerce are particularly at risk, as attackers could manipulate orders, access payment information, or compromise customer accounts. The vulnerability affects confidentiality by exposing user data, integrity by allowing unauthorized changes, and availability by potentially enabling denial-of-service or site defacement attacks. Given the plugin’s popularity in WordPress ecosystems worldwide, the scope of affected systems is broad. The lack of authentication or user interaction required for exploitation increases the likelihood of attacks, especially in environments where the Firebase API key is misconfigured or missing.

To mitigate CVE-2025-8342, organizations should immediately verify and update the WooCommerce OTP Login With Phone Number, OTP Verification plugin to a patched version once available from the vendor. Until a patch is released, administrators should ensure the Firebase API key is properly configured to prevent the error handling flaw from being exploited. Restrict access to the AJAX registration endpoint (lwp_ajax_register) via web application firewalls or server-level access controls to limit exposure. Implement additional monitoring and alerting for suspicious administrative login attempts or unusual activity related to OTP verification. Consider temporarily disabling the OTP login feature if it cannot be securely configured. Regularly audit user accounts for unauthorized administrative privileges and enforce strong authentication policies. Engage in proactive vulnerability scanning and penetration testing focused on authentication mechanisms to detect similar issues early.