Attack Vectors

CVE-2025-69052 is a Medium-severity (CVSS 5.3) missing-authorization issue affecting the WordPress plugin Registration & Login with Mobile Phone Number for WooCommerce (slug: registration-login-with-mobile-phone-number) in versions up to and including 1.3.1.

Because the vulnerable function can be reached without a proper permission check, an unauthenticated attacker (no login required) may be able to trigger an unauthorized action on affected sites. In practical terms, this increases exposure for any business running WooCommerce stores that rely on this plugin for customer registration and login flows.

Reference: CVE record and Wordfence vulnerability intelligence.

Security Weakness

The root cause is a missing capability (authorization) check in the plugin. WordPress sites often rely on capability checks to ensure that only permitted users (for example, admins, shop managers, or authenticated customers) can run specific actions.

When that check is missing, the website may accept and process requests from users who should not be allowed to perform that action—creating a pathway for misuse that bypasses normal business controls such as authentication, role-based access, and internal approval workflows.

Remediation: Update Registration & Login with Mobile Phone Number for WooCommerce to version 1.3.2 or any newer patched version.

Technical or Business Impacts

While this vulnerability is rated Medium and the public summary does not specify the exact unauthorized action, missing-authorization issues commonly translate into meaningful business risk because they can enable unexpected or unapproved changes through the website’s public-facing surface.

Potential impacts to consider from a leadership and compliance perspective include:

Operational disruption: Unauthorized actions can interfere with normal site operations, increasing support load and slowing down revenue-generating customer journeys (registration, login, and checkout).

Brand and customer trust impact: If customer-facing flows behave unpredictably (account access issues, unusual login/registration outcomes, or altered settings), customers may lose confidence—directly affecting conversion rates and repeat purchases.

Compliance and audit exposure: Weak authorization controls can raise questions during security reviews and audits, particularly where access control is a core requirement for internal policies and external frameworks.

Recommended business action: Prioritize the update to 1.3.2+, confirm the plugin version across all environments (production, staging, regional sites), and document the remediation for compliance tracking.

Similar Attacks

Authorization and access-control gaps in WordPress plugins have repeatedly been used to carry out unauthorized actions at scale. Examples include:

WP GDPR Compliance plugin vulnerability (2018) – privilege escalation exposure
WP File Manager zero-day (2020) – widely exploited vulnerability affecting many WordPress sites