CVE-2025-8342: CWE-862 Missing Authorization in glboy OTP Login With Phone Number, OTP Verification
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.
AI Analysis
Technical Summary
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the lwp_ajax_register function. The vulnerability arises from insufficient validation of empty values and improper handling of Firebase API errors when the Firebase API key is missing or misconfigured. This allows unauthenticated attackers to bypass OTP verification and escalate privileges to administrative access on accounts with registered phone numbers. The vulnerability affects all versions up to 1.8.47 and has a CVSS 3.1 score of 8.1, indicating high severity. A patch is available to remediate the issue.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass OTP verification and gain administrative access to user accounts with configured phone numbers. This compromises confidentiality, integrity, and availability of affected WordPress sites using the vulnerable plugin.
Mitigation Recommendations
A patch is available for this vulnerability. Users of the WooCommerce OTP Login With Phone Number, OTP Verification plugin should apply the official update to version 1.8.48 or later as soon as possible to remediate the authentication bypass. Until patched, ensure the Firebase API key is properly configured to avoid triggering the error condition that enables bypass. Monitor the vendor advisory for the official patch release and instructions.
CVE-2025-8342: CWE-862 Missing Authorization in glboy OTP Login With Phone Number, OTP Verification
Description
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the lwp_ajax_register function. The vulnerability arises from insufficient validation of empty values and improper handling of Firebase API errors when the Firebase API key is missing or misconfigured. This allows unauthenticated attackers to bypass OTP verification and escalate privileges to administrative access on accounts with registered phone numbers. The vulnerability affects all versions up to 1.8.47 and has a CVSS 3.1 score of 8.1, indicating high severity. A patch is available to remediate the issue.
Potential Impact
Successful exploitation allows unauthenticated attackers to bypass OTP verification and gain administrative access to user accounts with configured phone numbers. This compromises confidentiality, integrity, and availability of affected WordPress sites using the vulnerable plugin.
Mitigation Recommendations
A patch is available for this vulnerability. Users of the WooCommerce OTP Login With Phone Number, OTP Verification plugin should apply the official update to version 1.8.48 or later as soon as possible to remediate the authentication bypass. Until patched, ensure the Firebase API key is properly configured to avoid triggering the error condition that enables bypass. Monitor the vendor advisory for the official patch release and instructions.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-07-30T08:58:29.280Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 689e9c51ad5a09ad00615fab
Added to database: 8/15/2025, 2:32:49 AM
Last enriched: 4/9/2026, 6:01:03 PM
Last updated: 5/9/2026, 10:43:49 PM
Views: 95
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.