WordPress Plugin Vulnerabilities

Digits < 8.4.6.1 - Auth Bypass via OTP Bruteforcing

Description

The plugin does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.

Proof of Concept

Affects Plugins

Plugin icon
digits
Fixed in 8.4.6.1

References

CVE
CVE-2025-4094

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Saleh Tarawneh
Submitter
Saleh Tarawneh
Verified
Yes
WPVDB ID
b5f0a263-644b-4954-a1f0-d08e2149edbb

Timeline

Publicly Published
2025-04-30 (about 8 months ago)
Added
2025-04-30 (about 8 months ago)
Last Updated
2025-04-30 (about 8 months ago)

Other

Published
Title
Published
2023-11-24
Title
Theme My Login 2FA < 1.2 - Lack of Rate Limiting
Published
2021-08-24
Title
Booster for WooCommerce < 5.4.4 - Authentication Bypass
Published
2025-03-04
Title
WP Real Estate Manager <= 2.8 - Authentication Bypass
Published
2024-08-16
Title
Login As Users < 1.4.3 - Authentication Bypass
Published
2023-04-14
Title
ZM Ajax Login & Register <= 2.0.2 - Unauthenticated Authentication Bypass