Login Sign Up

CVE-2024-0203

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

The Digits WordPress plugin has a CSRF vulnerability that allows attackers to change user roles to administrator by tricking an admin into clicking a malicious link. This affects all WordPress sites using Digits plugin version 8.4.1 or earlier. Attackers can exploit this without authentication if they can manipulate an admin's actions.

💻 Affected Systems

Products:
  • WordPress Digits plugin
Versions: Up to and including 8.4.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with Digits plugin enabled. The vulnerable function 'digits_save_settings' lacks nonce validation.

📦 What is this software?

Digits by Unitedover

View all CVEs affecting Digits →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to WordPress sites, enabling complete site takeover, data theft, malware injection, and further privilege escalation.

🟠

Likely Case

Attackers create backdoor admin accounts, modify site settings, or inject malicious content through compromised administrator sessions.

🟢

If Mitigated

With proper CSRF protections and admin awareness, exploitation requires significant social engineering and may be detected by security monitoring.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires social engineering to trick administrators into clicking malicious links. No authentication needed for the CSRF attack itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4.2 or later

Vendor Advisory: https://digits.unitedover.com/changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Digits plugin and click 'Update Now'. 4. Verify version is 8.4.2 or higher.

🔧 Temporary Workarounds

Temporary plugin deactivation

all

Disable the Digits plugin until patched to prevent exploitation

wp plugin deactivate digits

CSRF protection middleware

all

Implement additional CSRF protection at web server or application level

🧯 If You Can't Patch

  • Implement strict access controls and monitor for unauthorized role changes
  • Educate administrators about phishing risks and implement click-through warnings for admin actions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Digits plugin version 8.4.1 or earlier

Check Version:

wp plugin list --name=digits --field=version

Verify Fix Applied:

Verify Digits plugin version is 8.4.2 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unexpected user role changes in WordPress logs
  • Multiple failed login attempts followed by successful admin login
  • digits_save_settings function calls without referrer validation

Network Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with action=digits_save_settings
  • Requests with unexpected user_role parameters

SIEM Query:

source="wordpress" (event="user_role_change" OR action="digits_save_settings")

📊 Metadata

CVE ID: CVE-2024-0203
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: March 7, 2024
Last Updated: January 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0203, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)