CVE-2025-7665
Published: 19 September 2025
Summary
CVE-2025-7665 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-7665 is a privilege escalation vulnerability in the Miniorange OTP Verification with Firebase plugin for WordPress, affecting versions 3.1.0 through 3.6.2. The issue arises from a missing capability check on the 'handle_mofirebase_form_options' function, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-09-19T13:15:43.973.
Unauthenticated attackers (PR:N) can exploit the vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) due to the need for premium features to be enabled in the plugin. Successful exploitation enables attackers to update the default user role to Administrator, potentially allowing full control over the WordPress site.
Advisories and related resources, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a02910-5674-4266-ab6e-7926bf6adecc?source=cve and the plugin source code at https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/trunk/handler/forms/class-registrationform.php, provide further details on the issue for mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30292
Vulnerability details
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default…
more
role to Administrator. Premium features must be enabled in order to exploit the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization check enables direct exploitation of the plugin to escalate to administrator role on a public-facing WordPress instance.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations, directly addressing the missing capability check on the handle_mofirebase_form_options function that allows unauthenticated privilege escalation.
Implements least privilege to prevent unauthenticated attackers from updating default user roles to Administrator despite lacking required capabilities.
Requires timely identification and remediation of the specific flaw in Miniorange plugin versions 3.1.0 to 3.6.2, preventing exploitation via patching.