How ZeroPath Works
Back to Blog

WooCommerce OTP Login With Phone Number CVE-2025-8342: Brief Summary of a Critical Authentication Bypass

This post provides a brief summary of CVE-2025-8342, a critical authentication bypass in the WooCommerce OTP Login With Phone Number plugin for WordPress up to version 1.8.47. It covers technical details, affected versions, vendor security history, and references for further reading.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-14

WooCommerce OTP Login With Phone Number CVE-2025-8342: Brief Summary of a Critical Authentication Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can bypass OTP verification and gain administrative access to WordPress sites running WooCommerce OTP Login With Phone Number, OTP Verification plugin up to version 1.8.47. For e-commerce platforms relying on this plugin for two-factor authentication, this vulnerability exposes user accounts and site integrity to compromise.

WooCommerce OTP Login With Phone Number, OTP Verification is a widely adopted plugin in the WordPress ecosystem, enabling phone-based authentication for thousands of online stores. Its integration with Firebase for OTP delivery is intended to strengthen account security, but implementation flaws have led to recurring vulnerabilities.

Technical Information

CVE-2025-8342 is caused by insufficient empty value checking in the lwp_ajax_register function. When handling registration or authentication requests, the plugin does not adequately verify that required OTP parameters are present and correctly formatted. If the Firebase API key is missing or not configured, the plugin's error handling for Firebase API responses is flawed. Instead of treating API errors as authentication failures, the function may interpret certain error conditions as successful OTP verification.

This allows an unauthenticated attacker to craft requests to the vulnerable AJAX endpoint (admin-ajax.php) with empty or malformed OTP values. The plugin then bypasses OTP verification and grants access to user accounts associated with a configured phone number. The vulnerability is classified as CWE-862 (Missing Authorization).

Relevant code references:

No public proof of concept code is available, but the vulnerability can be triggered by manipulating POST parameters sent to the AJAX endpoint.

Affected Systems and Versions

  • Product: WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress
  • Affected versions: All versions up to and including 1.8.47
  • Vulnerable configuration: Sites with the plugin installed and Firebase API key missing or not configured

Vendor Security History

The plugin has a documented history of authentication-related vulnerabilities, including:

  • CVE-2024-5150: Authentication bypass in the same lwp_ajax_register function
  • Multiple vulnerabilities tracked in the WPScan plugin history

The vendor typically releases patches quickly but has faced repeated issues in similar code paths, indicating a need for improved security review and testing.

References

Detect & fix
what others miss

Get startedBook a demo