CVE-2025-8342: 
WordPress vulnerability analysis and mitigation

The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress contains an authentication bypass vulnerability (CVE-2025-8342) discovered on August 14, 2025. The vulnerability affects all versions up to and including 1.8.47 and is caused by insufficient empty value checking in the lwp_ajax_register function (NVD).

The vulnerability stems from improper Firebase API error handling when the Firebase API key is not configured. The issue exists in the lwp_ajax_register function where insufficient empty value checking allows bypassing OTP verification. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-862 (Missing Authorization) (NVD).

This vulnerability allows unauthenticated attackers to bypass OTP verification and gain administrative access to any user account that has a configured phone number. The high severity rating indicates potential for complete compromise of affected user accounts (NVD).

The vulnerability has been fixed in version 1.8.48 of the plugin. The update includes strengthened Firebase OTP verification logic, improved validation of API responses before authenticating users, and added validation to ensure the Firebase API key is properly configured (WordPress Plugin).