Skip to main content

miniOrange OTP Verification EUVDEUVD-2026-32177

| CVE-2026-42731 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-05-27 audit@patchstack.com GHSA-57c7-rcv3-9v8r
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 19:46 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9.

AnalysisAI

Privilege escalation in the miniOrange OTP Verification WordPress plugin (all versions up to and including 5.4.9) lets remote unauthenticated attackers gain elevated privileges due to incorrect privilege assignment (CWE-266). With a CVSS 9.8 vector indicating network reach, no authentication, and no user interaction, a successful attack can fully compromise the confidentiality, integrity, and availability of the affected WordPress site. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The affected component is miniOrange OTP Verification, a WordPress plugin that adds one-time-password (OTP) based verification (email/SMS) to registration, login, and form flows. The root cause is CWE-266 (Incorrect Privilege Assignment), where the plugin grants a level of access or capability that does not match the intended trust boundary - for example assigning roles/capabilities or trusting client-supplied identity during an OTP-gated flow without proper server-side authorization checks. Because WordPress plugins execute within the site's PHP request lifecycle and can manipulate user roles and capabilities, a flaw here can elevate an actor's effective privileges within the WordPress authorization model. No CPE strings were supplied in the input, so exact affected configurations beyond the plugin name and version ceiling are not enumerated here.

RemediationAI

No vendor-released patch version is identified in the provided data; the input only establishes that versions through 5.4.9 are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/miniorange-otp-verification/vulnerability/wordpress-miniorange-otp-verification-plugin-5-4-9-privilege-escalation-vulnerability?_s_id=cve) and the WordPress plugin repository to upgrade to the latest release above 5.4.9 once confirmed. Until a verified fixed version is applied, the most effective compensating control is to deactivate and remove the miniOrange OTP Verification plugin, accepting the trade-off that OTP-based registration/login verification will be unavailable; if the plugin cannot be removed, restrict access to the affected site's registration, login, and OTP-handling endpoints (for example via a WAF rule or virtual patch, which Patchstack offers, or IP allow-listing of administrative paths), understanding this may block legitimate users behind shared IPs and does not address the underlying privilege-assignment flaw. Also audit existing WordPress user accounts and roles for unexpected privilege elevation, since exploitation could have already altered account capabilities.

Share

EUVD-2026-32177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy