WordPress Digits Plugin Flaw: OTP Bypass Comedy of Errors!
The Digits plugin for WordPress, before version 8.4.6.1, has a vulnerability allowing OTP brute-force attacks. With no rate limiting, attackers can bypass authentication by guessing OTPs in the “Forgot Password” flow. This flaw, CVE-2025-4094, could lead to improper authentication. Remember, even a robot can crack a code if you give it unlimited tries!
Hot Take:
WordPress sites are about as secure as a chocolate teapot with the Digits Plugin’s OTP vulnerability. Cybercriminals are having a field day with this one, and it’s a classic case of ‘Oops, we forgot to add rate limiting!’ Now, instead of locking hackers out, WordPress is practically rolling out the red carpet. It’s the security equivalent of leaving your keys in the door and going on vacation. Kudos to Saleh Tarawneh for shining a spotlight on this glaring oversight. Time for developers to dig into the digits and patch this up before it becomes a free-for-all!
Key Points:
- Digits Plugin for WordPress before version 8.4.6.1 is vulnerable.
- Attackers can bypass authentication via OTP brute-forcing.
- The vulnerability arises from missing rate limiting on OTP requests.
- Critical CVSS score of 9.8, highlighting the severity.
- Toolkits like Burp Suite can automate the attack process.