A high-severity authentication bypass vulnerability has been identified in the "WooCommerce OTP Login With Phone Number, OTP Verification" plugin for WordPress. This flaw allows an unauthenticated attacker to bypass the One-Time Password (OTP) verification mechanism and potentially create a new user account or gain unauthorized access to the website. Successful exploitation could lead to website compromise, data theft, and further attacks originating from the trusted site.

The vulnerability exists within the lwp_ajax_register function, which handles user registration via AJAX requests. The function fails to properly validate or sanitize input, specifically not checking for empty or null values in critical fields related to the OTP process. An unauthenticated attacker can craft a specific POST request to this function, submitting an empty value where an OTP or phone number is expected, thereby tricking the plugin into bypassing the security check and successfully completing the registration or login process without valid credentials.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a significant negative impact on the business by allowing unauthorized access to the WordPress environment. An attacker could create a privileged administrator account, leading to a full site takeover. Potential consequences include theft of sensitive customer data from WooCommerce, website defacement, injection of malicious code or malware, and using the compromised server to attack other systems. These outcomes pose direct risks of financial loss, reputational damage, and potential regulatory penalties for data breaches.

Immediate Action: All administrators of websites using the "WooCommerce OTP Login With Phone Number, OTP Verification" plugin must immediately update it to the latest version provided by the vendor, which contains a patch for this vulnerability. If the plugin is not critical to business operations, it should be deactivated and removed to eliminate the attack surface entirely.

Proactive Monitoring: Security teams should monitor web server access logs for unusual POST requests to the WordPress AJAX endpoint (wp-admin/admin-ajax.php) that specify the lwp_ajax_register action. Scrutinize WordPress user audit logs for any new user accounts created around the time of the vulnerability disclosure, especially those created with suspicious usernames or from unexpected IP addresses.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to inspect and block requests to the lwp_ajax_register function that contain empty or malformed parameters. As an additional layer of defense, consider temporarily disabling new user registrations on the site until the plugin can be patched.

Public Exploit Available: False (as of August 15, 2025)

Given the high CVSS score of 8.1 and the critical impact of a successful authentication bypass, this vulnerability requires immediate attention. We strongly recommend that all organizations using the affected WordPress plugin apply the security update on an emergency basis. Due to the ease of exploitation, it is anticipated that threat actors will develop and deploy exploits quickly. Proactive patching is the most effective strategy to prevent unauthorized access and potential compromise of your web assets.