cbcvebase.
CVE-2025-4094
published 2025-05-21

CVE-2025-4094: The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.44%
96.6th percentile
The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.

Affected

1 ranges
VendorProductVersion rangeFixed in
unitedoverdigits< 8.4.6.18.4.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/digits/
commandaction=digits_forms_ajax
commandtype=forgot&forgot_pass_method=sms_otp
  • Monitor POST requests to /wp-admin/admin-ajax.php with action=digits_forms_ajax and rapidly incrementing sms_otp parameter values (0000–9999 or 000000–999999) from the same source IP, indicating OTP brute-force activity.
  • Alert on high-frequency POST requests to admin-ajax.php containing both 'action=digits_forms_ajax' and 'sms_otp=' parameters — absence of rate limiting means hundreds of attempts per minute are possible.
  • Detect successful OTP brute-force by monitoring for a '"success":true' JSON response from admin-ajax.php following a series of failed OTP attempts in the digits_forms_ajax action.
  • Flag POST requests to admin-ajax.php that include the X-Requested-With: XMLHttpRequest header alongside action=digits_forms_ajax and type=forgot, as this matches the exploit's forgot-password OTP bypass flow.
  • The attack also applies to the registration flow — monitor for the same digits_forms_ajax action pattern outside of the forgot-password context.
  • ·The OTP length varies (4-digit or 6-digit); detection logic must account for both sms_otp value lengths (0000–9999 and 000000–999999).
  • ·Burp Suite Pro Intruder can also be used to perform the same attack manually, meaning the HTTP request pattern will be identical but may not exhibit scripted timing characteristics.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.