Skip to main content

Digits (WordPress plugin) CVE-2026-13741

| EUVDEUVD-2026-44897 HIGH
Improper Privilege Management (CWE-269)
2026-07-16 Wordfence GHSA-9xxr-jm2h-93xc
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Remote authenticated Subscriber (PR:L) sends a single low-complexity request with no user interaction to gain Administrator, yielding full C/I/A impact on the same site (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:03 vuln.today
CVE Published
Jul 16, 2026 - 08:26 cve.org
HIGH 8.8

DescriptionNVD

The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the dig_update_wpwc_custom_fields() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged digits_reg_userrole value during profile update, granted the site administrator has configured the built-in DIGITS User Role field.

AnalysisAI

Privilege escalation in the Digits WordPress Mobile Number Signup and Login plugin (all versions through 9.1.0.5) lets authenticated Subscriber-level users promote themselves to Administrator by submitting a forged digits_reg_userrole value during a profile update. The flaw stems from the dig_update_wpwc_custom_fields() function failing to validate the caller's authorization or the requested role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain Subscriber account
Delivery
Access profile update endpoint
Exploit
Submit forged digits_reg_userrole=administrator
Execution
dig_update_wpwc_custom_fields writes role unchecked
Persist
Account elevated to Administrator
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an authenticated account of at least Subscriber level - obtainable via self-registration where the site permits it - and (2) the site administrator having configured the plugin's built-in DIGITS User Role field, which activates the vulnerable profile-update path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - network-reachable, low complexity, requires only low privileges (an existing Subscriber account), no user interaction, and full C/I/A impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a normal account (Subscriber) on a WordPress site running a vulnerable Digits version that has the DIGITS User Role field configured, then sends a crafted profile-update request that includes digits_reg_userrole set to 'administrator'. Because dig_update_wpwc_custom_fields() does not check authorization or validate the role, the account is elevated to Administrator, giving the attacker full control of the site. …
Remediation No exact fixed version is stated in the provided data, so treat this as: upstream fix status not independently confirmed - upgrade to the latest Digits release above 9.1.0.5 and verify against the vendor changelog (https://digits.unitedover.com/changelog/) that the build post-dates the fix for this issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all WordPress deployments to identify active installations of the Digits plugin at version 9.1.0.5 or earlier, and audit user accounts to detect any Subscribers who may have exploited this flaw to gain Administrator roles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy