Home

Description

The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.

PUBLISHED Reserved 2025-04-29 | Published 2025-05-21 | Updated 2025-08-27 | Assigner WPScan

Problem types

CWE-307 Improper Restriction of Excessive Authentication Attempts

Product status

Default status
unaffected

Any version before 8.4.6.1
affected

Credits

Saleh Tarawneh finder

WPScan coordinator

References

wpscan.com/...rability/b5f0a263-644b-4954-a1f0-d08e2149edbb/ exploit vdb-entry technical-description

cve.org (CVE-2025-4094)

nvd.nist.gov (CVE-2025-4094)

Download JSON