CVE-2025-4094
Published: 21 May 2025
Summary
CVE-2025-4094 is a critical-severity an unspecified weakness vulnerability in Unitedover Digits. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a missing rate limit on OTP validation attempts in the DIGITS: WordPress Mobile Number Signup and Login plugin prior to version 8.4.6.1. This flaw is reflected in a CVSS 3.1 score of 9.8 with an attack vector of network, low complexity, no privileges, and no user interaction, resulting in high impact to confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit the weakness by repeatedly submitting guessed OTP values during mobile-number-based registration or login flows until a valid code is found, thereby bypassing intended multi-factor protections and gaining unauthorized access to user accounts.
The WPScan advisory at the provided reference URL identifies the affected plugin versions and indicates that the issue is resolved by upgrading to 8.4.6.1 or later, which adds the missing rate-limiting controls. The associated EPSS score has remained flat at 0.0303 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16076
Vulnerability details
The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.