CVE-2025-8342
Published: 15 August 2025
Summary
CVE-2025-8342 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the insufficient empty value checking in the lwp_ajax_register function, preventing authentication bypass via invalid inputs.
Addresses improper Firebase API error handling when the API key is not configured, ensuring errors do not enable OTP bypass and unauthorized access.
Requires timely flaw remediation by updating the plugin beyond version 1.8.47, eliminating the authentication bypass vulnerability as per advisories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Auth bypass in public-facing WordPress plugin directly enables remote exploitation of the web app (T1190) to obtain access to valid accounts (T1078).
NVD Description
The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for…
more
unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured.
Deeper analysisAI
CVE-2025-8342 is an authentication bypass vulnerability in the WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress, affecting all versions up to and including 1.8.47. The issue arises from insufficient empty value checking in the lwp_ajax_register function, coupled with improper Firebase API error handling when the Firebase API key is not configured. This flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit the vulnerability remotely with high attack complexity and no privileges required. By targeting the registration endpoint, they can bypass OTP verification and gain administrative access to any user account that has a configured phone number, potentially leading to full site compromise including high impacts on confidentiality, integrity, and availability.
Advisories and code references, including Wordfence's threat intelligence report and WordPress plugin Trac entries, highlight the vulnerable code at lines 4358 and 4373 in login-with-phonenumber.php (version 1.8.47). A relevant changeset in the plugin repository addresses the issue, indicating that updating to a patched version is the primary mitigation.
Details
- CWE(s)