This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Critical flaw in session handling (`fma_lwp_set_session_p`). π₯ **Consequences**: Full system compromise. High impact on Confidentiality, Integrity, and Availability.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: CWE-288 (Authentication Bypass). The plugin fails to properly validate or secure session tokens during setup.
Q3Who is affected? (Versions/Components)
π¦ **Affected**: WordPress Plugin: **Registration & Login with Mobile Phone Number for WooCommerce**. π **Version**: 1.3.1 and earlier. π’ **Vendor**: FmeAddons.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: Bypass authentication. π **Data Access**: Read sensitive user data. βοΈ **Control**: Modify site settings. ποΈ **Impact**: Delete content or disrupt service.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: LOW. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. No authentication required. No user interaction needed. Remote exploitation is trivial.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π» **Exploit Status**: YES. Public PoC available on GitHub: `microcyberr/CVE-2025-10484`. Wild exploitation risk is HIGH.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for installed plugin version. Look for `Registration & Login with Mobile Phone Number for WooCommerce` β€ v1.3.1. Check for unauthenticated session endpoints.