Cyber Resilience

CVE-2025-4094

CriticalPublic PoC

Published: 21 May 2025

Published
21 May 2025
Modified
09 June 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0303 87.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4094 is a critical-severity an unspecified weakness vulnerability in Unitedover Digits. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a missing rate limit on OTP validation attempts in the DIGITS: WordPress Mobile Number Signup and Login plugin prior to version 8.4.6.1. This flaw is reflected in a CVSS 3.1 score of 9.8 with an attack vector of network, low complexity, no privileges, and no user interaction, resulting in high impact to confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit the weakness by repeatedly submitting guessed OTP values during mobile-number-based registration or login flows until a valid code is found, thereby bypassing intended multi-factor protections and gaining unauthorized access to user accounts.

The WPScan advisory at the provided reference URL identifies the affected plugin versions and indicates that the issue is resolved by upgrading to 8.4.6.1 or later, which adds the missing rate-limiting controls. The associated EPSS score has remained flat at 0.0303 with no material increase since disclosure.

EU & UK References

Vulnerability details

The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

unitedover
digits
≤ 8.4.6.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References