CVE-2024-9863

Published: Oct 17, 2024Modified: Apr 8, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.

Related CWEs

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (3)

https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve

Source: security@wordfence.com

Timeline

No history available yet.