Privilege Escalation in Digits WordPress Login Plugin Exposes User Roles
CVE-2026-13741
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 16 July 2026
What is CVE-2026-13741?
The Digits: WordPress Mobile Number Signup and Login plugin is susceptible to a privilege escalation vulnerability across all versions up to and including 9.1.0.5. This issue stems from insufficient authorization and role validation within the dig_update_wpwc_custom_fields() function. Authenticated users, specifically those with Subscriber-level access or higher, can exploit this flaw to elevate their privileges to those of an Administrator by sending a crafted digits_reg_userrole value during a profile update. The risk is increased when a site administrator has enabled the built-in DIGITS User Role field, potentially allowing unauthorized access to sensitive administrative functions.
Affected Version(s)
Digits: WordPress Mobile Number Signup and Login 0 <= 9.1.0.5