Cyber Resilience

CVE-2025-7665

High

Published: 19 September 2025

Published
19 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7665 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-7665 is a privilege escalation vulnerability in the Miniorange OTP Verification with Firebase plugin for WordPress, affecting versions 3.1.0 through 3.6.2. The issue arises from a missing capability check on the 'handle_mofirebase_form_options' function, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-09-19T13:15:43.973.

Unauthenticated attackers (PR:N) can exploit the vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) due to the need for premium features to be enabled in the plugin. Successful exploitation enables attackers to update the default user role to Administrator, potentially allowing full control over the WordPress site.

Advisories and related resources, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a02910-5674-4266-ab6e-7926bf6adecc?source=cve and the plugin source code at https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/trunk/handler/forms/class-registrationform.php, provide further details on the issue for mitigation guidance.

EU & UK References

Vulnerability details

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default…

more

role to Administrator. Premium features must be enabled in order to exploit the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization check enables direct exploitation of the plugin to escalate to administrator role on a public-facing WordPress instance.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-0026Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-48634Shared CWE-862
CVE-2026-28193Shared CWE-862
CVE-2026-0845Shared CWE-862
CVE-2025-49723Shared CWE-862
CVE-2024-12171Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations, directly addressing the missing capability check on the handle_mofirebase_form_options function that allows unauthenticated privilege escalation.

prevent

Implements least privilege to prevent unauthenticated attackers from updating default user roles to Administrator despite lacking required capabilities.

prevent

Requires timely identification and remediation of the specific flaw in Miniorange plugin versions 3.1.0 to 3.6.2, preventing exploitation via patching.

References