CVE-2025-7665 is a critical vulnerability identified in the Miniorange OTP Verification with Firebase plugin for WordPress, specifically affecting versions 3.1.0 through 3.6.2. The root cause is a missing authorization check (CWE-862) in the function 'handle_mofirebase_form_options', which handles form options related to Firebase OTP verification. This flaw allows unauthenticated attackers to escalate privileges by modifying the default user role to Administrator, effectively granting themselves full administrative access to the WordPress site. However, exploitation requires that the plugin's premium features are enabled, which may limit the attack surface to sites using paid versions. The vulnerability is remotely exploitable over the network without user interaction, but the attack complexity is rated high, indicating some non-trivial conditions must be met. The impact is severe, as attackers gaining admin privileges can manipulate site content, install malicious plugins, exfiltrate sensitive data, or disrupt site availability. Although no public exploits have been reported yet, the high CVSS score of 8.1 underscores the urgency of addressing this issue. The vulnerability was reserved in July 2025 and published in September 2025, with no patches currently available, increasing the risk window for affected sites. The plugin is widely used in WordPress environments, which are popular globally, making the vulnerability relevant to a broad audience.

The vulnerability allows unauthenticated attackers to gain administrative privileges on affected WordPress sites, leading to a complete compromise of confidentiality, integrity, and availability. Attackers can create, modify, or delete content, install backdoors or malicious plugins, steal sensitive user data, and disrupt website operations. This can result in reputational damage, financial loss, and regulatory penalties for organizations. Since WordPress powers a significant portion of the web, including many business and government sites, the potential impact is widespread. The requirement for premium features limits the affected population but does not eliminate risk, especially for organizations relying on enhanced security or authentication features provided by the plugin. The absence of known exploits in the wild currently reduces immediate risk, but the high severity and ease of remote exploitation without authentication make this a critical threat to monitor.

1. Immediately disable the premium features of the Miniorange OTP Verification with Firebase plugin until an official patch is released. 2. Restrict access to plugin-related endpoints using web application firewalls (WAFs) or server-level access controls to prevent unauthorized requests. 3. Monitor WordPress user roles regularly for unauthorized changes, especially the default role settings. 4. Implement strict logging and alerting on administrative role modifications to detect potential exploitation attempts. 5. Apply the principle of least privilege by limiting the number of users with administrative rights. 6. Keep WordPress core, themes, and other plugins updated to reduce overall attack surface. 7. Consider deploying runtime application self-protection (RASP) solutions to detect and block suspicious behavior related to privilege escalation. 8. Once available, promptly apply vendor patches or updates addressing this vulnerability. 9. Educate site administrators about the risks of enabling premium features without proper security controls. 10. Conduct regular security audits and penetration testing focusing on authentication and authorization mechanisms.