Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9.
AnalysisAI
Privilege escalation in the miniOrange OTP Verification WordPress plugin (all versions up to and including 5.4.9) lets remote unauthenticated attackers gain elevated privileges due to incorrect privilege assignment (CWE-266). With a CVSS 9.8 vector indicating network reach, no authentication, and no user interaction, a successful attack can fully compromise the confidentiality, integrity, and availability of the affected WordPress site. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The affected component is miniOrange OTP Verification, a WordPress plugin that adds one-time-password (OTP) based verification (email/SMS) to registration, login, and form flows. The root cause is CWE-266 (Incorrect Privilege Assignment), where the plugin grants a level of access or capability that does not match the intended trust boundary - for example assigning roles/capabilities or trusting client-supplied identity during an OTP-gated flow without proper server-side authorization checks. Because WordPress plugins execute within the site's PHP request lifecycle and can manipulate user roles and capabilities, a flaw here can elevate an actor's effective privileges within the WordPress authorization model. No CPE strings were supplied in the input, so exact affected configurations beyond the plugin name and version ceiling are not enumerated here.
RemediationAI
No vendor-released patch version is identified in the provided data; the input only establishes that versions through 5.4.9 are vulnerable, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/miniorange-otp-verification/vulnerability/wordpress-miniorange-otp-verification-plugin-5-4-9-privilege-escalation-vulnerability?_s_id=cve) and the WordPress plugin repository to upgrade to the latest release above 5.4.9 once confirmed. Until a verified fixed version is applied, the most effective compensating control is to deactivate and remove the miniOrange OTP Verification plugin, accepting the trade-off that OTP-based registration/login verification will be unavailable; if the plugin cannot be removed, restrict access to the affected site's registration, login, and OTP-handling endpoints (for example via a WAF rule or virtual patch, which Patchstack offers, or IP allow-listing of administrative paths), understanding this may block legitimate users behind shared IPs and does not address the underlying privilege-assignment flaw. Also audit existing WordPress user accounts and roles for unexpected privilege elevation, since exploitation could have already altered account capabilities.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32177
GHSA-57c7-rcv3-9v8r