Privilege Escalation in Miniorange OTP Verification with Firebase Plugin for WordPress
CVE-2025-7665

8.1HIGH

Key Information:

Vendor: WordPress
Status: Miniorange Otp Verification With Firebase
Vendor: CVE Published:; 19 September 2025

What is CVE-2025-7665?

The Miniorange OTP Verification with Firebase plugin for WordPress features a security vulnerability that permits unauthenticated users to elevate their privileges and update the default role to Administrator. This issue arises due to a missing capability check in the 'handle_mofirebase_form_options' function, specifically affecting versions from 3.1.0 to 3.6.2. Exploiting this vulnerability requires premium features to be activated, which allows attackers to change user roles without proper authorization.

Affected Version(s)

Miniorange OTP Verification with Firebase 3.1.0 <= 3.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/miniorange-fir...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2025
Vulnerability Reserved
Jul 14, 2025

Credit

Kenneth Dunn