Skip to content
Threat Feed
high advisory

WordPress Digits Plugin Privilege Escalation via Missing Authorization

The Digits: WordPress Mobile Number Signup and Login plugin is vulnerable to privilege escalation, allowing authenticated attackers with Subscriber-level access to elevate privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, impacting WordPress sites configured with the built-in DIGITS User Role field.

A critical privilege escalation vulnerability, tracked as CVE-2026-13741, affects all versions up to and including 9.1.0.5 of the "Digits: WordPress Mobile Number Signup and Login" plugin. This flaw stems from inadequate authorization and role validation within the dig_update_wpwc_custom_fields() function. Exploiting this vulnerability allows authenticated attackers, even those with low-privileged Subscriber accounts, to escalate their privileges to full Administrator rights. This is achieved by manipulating the digits_reg_userrole parameter during a standard profile update request. The prerequisite for this exploit is that the site administrator must have enabled and configured the built-in DIGITS User Role field. Successful exploitation grants complete control over the affected WordPress instance, posing a significant risk to data integrity, confidentiality, and availability.

Attack Chain

  1. Initial Access (Authenticated): An attacker gains or possesses a valid, authenticated user account with Subscriber-level privileges or higher on a WordPress site running the vulnerable Digits plugin.
  2. Profile Update Request: The attacker navigates to their user profile page within the WordPress dashboard, where they would typically update their personal information.
  3. Interception/Manipulation: The attacker intercepts the legitimate profile update HTTP POST request sent by their browser to the WordPress server.
  4. Parameter Forgery: The attacker modifies the intercepted request to include or alter the digits_reg_userrole parameter, setting its value to that of an Administrator role (e.g., 'administrator').
  5. Request Submission: The forged HTTP POST request, containing the manipulated digits_reg_userrole value, is then submitted to the dig_update_wpwc_custom_fields() function on the WordPress server.
  6. Privilege Escalation: Due to the missing authorization and role validation in the plugin's function, the server processes the request and updates the attacker's user role to Administrator.
  7. Administrator Access: The attacker now has full administrative control over the WordPress site, enabling them to install plugins, themes, modify site content, and access sensitive information.

Impact

Successful exploitation of CVE-2026-13741 results in complete compromise of the affected WordPress site. An attacker gains full Administrator privileges, allowing them to take control of the website. This can lead to unauthorized data access, website defacement, injection of malicious code (e.g., for phishing, malware distribution, or SEO spam), installation of backdoors, complete deletion of site content, or further network penetration. The vulnerability affects a widely used plugin, making numerous WordPress installations susceptible if the built-in DIGITS User Role field is configured. Organizations using this plugin risk significant reputational damage, data breaches, and service disruption.

Recommendation

  • Patch CVE-2026-13741 immediately by updating the Digits: WordPress Mobile Number Signup and Login plugin to a version greater than 9.1.0.5.
  • Deploy the Sigma rule below to your SIEM solution to detect attempts to exploit the missing authorization in the dig_update_wpwc_custom_fields() function.
  • Enable webserver access logging to capture HTTP POST requests, specifically focusing on parameters related to user profile updates and potential role changes.

Detection coverage 1

Detects CVE-2026-13741 Exploitation - WordPress Digits Plugin Privilege Escalation

high

Detects exploitation attempts against CVE-2026-13741, where an authenticated attacker attempts to escalate privileges by forging the 'digits_reg_userrole' parameter during a WordPress profile update request to an administrative role like 'administrator' or 'editor'.

sigma tactics: privilege_escalation techniques: T1078 sources: webserver

Detection queries are available on the platform. Get full rules →