CVE-2025-4094 – The DIGITS WordPress plugin before version 8.4.... (How to Fix)

Q: What is the severity of CVE-2025-4094?

CVE-2025-4094 has a CVSS score of 9.8 (CRITICAL). The DIGITS WordPress plugin before version 8.4.6.1 lacks rate limiting on OTP validation attempts, allowing attackers to brute-force one-time passwords and potentially gain unauthorized access. This affects all WordPress sites using vulnerable versions of the DIGITS plugin for mobile number signup and login functionality.

📋 TL;DR

The DIGITS WordPress plugin before version 8.4.6.1 lacks rate limiting on OTP validation attempts, allowing attackers to brute-force one-time passwords and potentially gain unauthorized access. This affects all WordPress sites using vulnerable versions of the DIGITS plugin for mobile number signup and login functionality.

💻 Affected Systems

Products:

DIGITS: WordPress Mobile Number Signup and Login

Versions: All versions before 8.4.6.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the DIGITS plugin enabled.

📦 What is this software?

Digits by Unitedover

View all CVEs affecting Digits →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers brute-force OTPs to gain administrative access, leading to complete site compromise, data theft, malware injection, or defacement.

🟠

Likely Case

Attackers gain unauthorized user accounts, potentially escalating privileges or accessing sensitive user data.

🟢

If Mitigated

With rate limiting or other controls, attackers cannot brute-force OTPs, maintaining normal authentication security.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Brute-force attacks are simple to automate; no authentication required to attempt OTP validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4.6.1

Vendor Advisory: https://wpscan.com/vulnerability/b5f0a263-644b-4954-a1f0-d08e2149edbb/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find DIGITS plugin and click 'Update Now'. 4. Verify update to version 8.4.6.1 or later.

🔧 Temporary Workarounds

Implement Web Application Firewall (WAF)

all

Configure WAF rules to rate limit OTP validation requests per IP address.

Disable DIGITS Plugin

linux

Temporarily disable the plugin until patched, if mobile number login is not critical.

wp plugin deactivate digits

🧯 If You Can't Patch

Disable the DIGITS plugin entirely to eliminate the vulnerability.
Implement network-level rate limiting or IP blocking for excessive OTP attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel under Plugins > Installed Plugins for DIGITS version below 8.4.6.1.

Check Version:

wp plugin get digits --field=version

Verify Fix Applied:

Confirm DIGITS plugin version is 8.4.6.1 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Multiple failed OTP validation attempts from single IP address in WordPress or web server logs.

Network Indicators:

High volume of POST requests to OTP validation endpoints (e.g., /wp-json/digits/v1/validate_otp).

SIEM Query:

source="wordpress.log" AND "validate_otp" AND status=401 | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2025-4094

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score: 2.09% exploit probability (83.7th percentile)

Published: May 21, 2025

Last Updated: June 9, 2025

🔗 References

https://wpscan.com/vulnerability/b5f0a263-644b-4954-a1f0-d08e2149edbb/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON