Privilege Escalation in Digits WordPress Login Plugin Exposes User Roles
CVE-2026-13741

8.8HIGH

What is CVE-2026-13741?

The Digits: WordPress Mobile Number Signup and Login plugin is susceptible to a privilege escalation vulnerability across all versions up to and including 9.1.0.5. This issue stems from insufficient authorization and role validation within the dig_update_wpwc_custom_fields() function. Authenticated users, specifically those with Subscriber-level access or higher, can exploit this flaw to elevate their privileges to those of an Administrator by sending a crafted digits_reg_userrole value during a profile update. The risk is increased when a site administrator has enabled the built-in DIGITS User Role field, potentially allowing unauthorized access to sensitive administrative functions.

Affected Version(s)

Digits: WordPress Mobile Number Signup and Login 0 <= 9.1.0.5

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

h0xilo
.