CVE-2025-4094

CRITICAL

DIGITS: WordPress Mobile <8.4.6.1 - Info Disclosure

Title source: llm

Description

The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.

Exploits (3)

exploitdb WORKING POC

by Saleh Tarawneh · textwebappsmultiple

https://www.exploit-db.com/exploits/52307

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by POCPioneer · poc

https://github.com/POCPioneer/CVE-2025-4094-POC

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by starawneh · poc

https://github.com/starawneh/CVE-2025-4094

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/b5f0a263-644b-4954-a1f0-d08e2149edbb/

Scores

CVSS v3 9.8

EPSS 0.0303

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (1)

unitedover/digits < 8.4.6.1

Published May 21, 2025

Tracked Since Feb 18, 2026