A critical authentication bypass vulnerability has been identified in a popular WordPress plugin for WooCommerce, "The Registration & Login with Mobile Phone Number". This flaw allows an unauthenticated attacker to bypass all security checks and log in as any user, including administrators, without needing a password. Successful exploitation would result in a complete compromise of the affected website, granting the attacker full control over the site's content, user data, and functionality.

This is a critical authentication bypass vulnerability. The flaw exists within the fma_lwp_set_session_php_fun() function, which is responsible for establishing a user's session upon login. The function fails to properly validate the identity of the user initiating the session, allowing an unauthenticated attacker to craft a request that forces the plugin to log them in as an arbitrary user by simply providing that user's identifier (e.g., username or user ID). This requires no prior authentication or knowledge of the victim's password.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful attack would have a severe and direct impact on the business. An attacker gaining administrative access can steal sensitive customer data (including personal information and order history), install malicious software or backdoors, deface the website, disrupt e-commerce operations, and use the compromised server to launch further attacks. This poses significant financial, reputational, and regulatory risks, potentially leading to data breach notifications, fines, and a complete loss of customer trust.

Immediate Action: Immediately update The Registration & Login with Mobile Phone Number for WooCommerce plugin to the latest version provided by the vendor, which contains the security patch for this vulnerability. After patching, review all administrative and user accounts for any unauthorized changes or additions.

Proactive Monitoring: System administrators should actively monitor web server access logs for unusual login activity, such as multiple successful logins from a single IP to different accounts or logins from unexpected geographic locations. Look for direct requests or suspicious parameters being passed to the functions associated with the plugin's login process. Monitor the WordPress site for unauthorized new plugins, themes, or user accounts.

Compensating Controls: If patching cannot be performed immediately, disable the plugin to remove the attack vector. Alternatively, deploy a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting this vulnerability. Restricting access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses can also add a layer of defense, though it may not protect against all exploitation scenarios.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a clear and present danger to any organization using the affected plugin. We strongly recommend that organizations treat this as an emergency and apply the vendor-supplied patch immediately. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. After patching, a thorough security audit should be conducted to search for any indicators of compromise that may have occurred prior to remediation.