CVE-2025-4094
published 2025-05-21CVE-2025-4094: The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.44%
96.6th percentile
The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| unitedover | digits | < 8.4.6.1 | 8.4.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /wp-admin/admin-ajax.php with action=digits_forms_ajax and rapidly incrementing sms_otp parameter values (0000–9999 or 000000–999999) from the same source IP, indicating OTP brute-force activity. ↗
- →Alert on high-frequency POST requests to admin-ajax.php containing both 'action=digits_forms_ajax' and 'sms_otp=' parameters — absence of rate limiting means hundreds of attempts per minute are possible. ↗
- →Detect successful OTP brute-force by monitoring for a '"success":true' JSON response from admin-ajax.php following a series of failed OTP attempts in the digits_forms_ajax action. ↗
- →Flag POST requests to admin-ajax.php that include the X-Requested-With: XMLHttpRequest header alongside action=digits_forms_ajax and type=forgot, as this matches the exploit's forgot-password OTP bypass flow. ↗
- →The attack also applies to the registration flow — monitor for the same digits_forms_ajax action pattern outside of the forgot-password context. ↗
- ·The OTP length varies (4-digit or 6-digit); detection logic must account for both sms_otp value lengths (0000–9999 and 000000–999999). ↗
- ·Burp Suite Pro Intruder can also be used to perform the same attack manually, meaning the HTTP request pattern will be identical but may not exhibit scripted timing characteristics. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2025-05-21
Published