CVE-2025-4094

CRITICAL

DIGITS: WordPress Mobile <8.4.6.1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-4094. PoCs published by Saleh Tarawneh, POCPioneer, starawneh.

AI-analyzed exploit summary This PoC exploits an OTP brute-force vulnerability in the WordPress Digits Plugin (CVE-2025-4094) due to missing rate limiting. It automates brute-forcing 4-digit OTPs (or 6-digit) in the 'Forgot Password' flow to bypass authentication.

Description

The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.

Exploits (3)

exploitdb WORKING POC
by Saleh Tarawneh · textwebappsmultiple
https://www.exploit-db.com/exploits/52307

This PoC exploits an OTP brute-force vulnerability in the WordPress Digits Plugin (CVE-2025-4094) due to missing rate limiting. It automates brute-forcing 4-digit OTPs (or 6-digit) in the 'Forgot Password' flow to bypass authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WordPress Digits Plugin < 8.4.6.1
No auth needed
Prerequisites: Intercepted OTP verification request parameters · Valid target phone number
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by POCPioneer · poc
https://github.com/POCPioneer/CVE-2025-4094-POC

This is a functional proof-of-concept exploit for CVE-2025-4094, targeting an OTP authentication bypass in the WordPress Digits plugin (versions < 8.4.6.1). The script uses a brute-force approach with parallel requests to bypass OTP verification.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress Digits Plugin < 8.4.6.1
No auth needed
Prerequisites: Target URL · Phone number · Instance ID from intercepted request
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by starawneh · poc
https://github.com/starawneh/CVE-2025-4094

This repository contains a functional PoC for CVE-2025-4094, an OTP brute-force vulnerability in the WordPress Digits plugin. The exploit automates brute-forcing OTP codes due to missing rate limiting, allowing authentication bypass.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: WordPress Digits Plugin < 8.4.6.1
No auth needed
Prerequisites: Target WordPress site with vulnerable Digits plugin · Intercepted request parameters for OTP verification
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/b5f0a263-644b-4954-a1f0-d08e2149edbb/

Scores

CVSS v3 9.8
EPSS 0.0303
EPSS Percentile 87.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (1)
unitedover/digits < 8.4.6.1
Published May 21, 2025
Tracked Since Feb 18, 2026