CVE-2025-4094 is a critical vulnerability identified in the DIGITS: WordPress Mobile Number Signup and Login plugin, affecting versions prior to 8.4.6.1. This plugin facilitates user authentication on WordPress sites via mobile number and OTP (One-Time Password) validation. The core issue is the absence of rate limiting on OTP validation attempts, which allows an attacker to perform brute-force attacks against the OTP verification mechanism. Without any throttling or lockout mechanisms, an attacker can systematically try numerous OTP codes to gain unauthorized access to user accounts. This vulnerability falls under CWE-287 (Improper Authentication), indicating a failure to properly verify user identity before granting access. The CVSS v3.1 score is 9.8, reflecting a critical severity due to the vulnerability's network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and its impact on confidentiality, integrity, and availability (all high). Exploitation could lead to full account takeover, data theft, unauthorized actions on behalf of users, and potential site compromise. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a high-risk target for attackers seeking to compromise WordPress sites using this plugin.

For European organizations, this vulnerability poses a significant risk, especially for those relying on the DIGITS plugin for user authentication. Successful exploitation can lead to unauthorized access to sensitive user data, including personal information and potentially payment or transactional data if integrated with e-commerce functionalities. This can result in data breaches, reputational damage, regulatory penalties under GDPR, and operational disruptions. Since WordPress powers a substantial portion of websites in Europe, including many SMEs and enterprises, the widespread use of this plugin could expose a large attack surface. Attackers could leverage compromised accounts to escalate privileges, inject malicious content, or pivot to internal networks. The lack of rate limiting makes automated attacks feasible at scale, increasing the likelihood of mass account compromises. Additionally, organizations in regulated sectors such as finance, healthcare, and public services may face heightened scrutiny and compliance challenges following exploitation.

Organizations should immediately update the DIGITS plugin to version 8.4.6.1 or later where the vulnerability is patched. If an update is not immediately possible, implement compensating controls such as deploying web application firewalls (WAFs) with rules to detect and block rapid OTP validation attempts from the same IP or user agent. Enforce multi-factor authentication (MFA) beyond OTP where feasible to add an additional security layer. Monitor authentication logs for unusual patterns indicative of brute-force attempts. Limit the number of OTP attempts per user or IP address at the application or network level. Educate users about suspicious login activities and encourage strong account recovery procedures. Regularly audit and review plugin usage and permissions to minimize exposure. Finally, consider alternative authentication plugins with robust security features if the DIGITS plugin cannot be updated promptly.