CVE-2025-10484

Critical

Published: 17 January 2026

Published

17 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0052 67.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10484 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Woocommerce (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Requires robust identification and authentication for users, directly addressing the plugin's failure to verify identity before authenticating via session function.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access, preventing authentication bypass by ensuring access decisions are made post proper verification.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as patching the vulnerable WooCommerce plugin to eliminate the authentication bypass vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, enabling unauthenticated remote attackers to log in as any user including administrators, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to…

authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.

Deeper analysisAI

CVE-2025-10484 is an authentication bypass vulnerability in the Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress, affecting all versions up to and including 1.3.1. The flaw occurs because the plugin fails to properly verify a user's identity prior to authenticating them via the fma_lwp_set_session_php_fun() function, allowing attackers to gain unauthorized access.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables them to authenticate as any user on the site, including administrators, without a valid password, potentially leading to full site compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-288.

Advisories from Wordfence provide threat intelligence on the issue, available at https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve. The plugin's product page at https://woocommerce.com/products/registration-login-with-mobile-phone-number/ offers additional details for affected users.