{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/digits-wordpress-mobile-number-signup-and-login-plugin--9.1.0.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-13741"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Digits: WordPress Mobile Number Signup and Login plugin \u003c= 9.1.0.5"],"_cs_severities":["high"],"_cs_tags":["wordpress","privilege-escalation","web-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["The Digits"],"content_html":"\u003cp\u003eA critical privilege escalation vulnerability, tracked as CVE-2026-13741, affects all versions up to and including 9.1.0.5 of the \u0026quot;Digits: WordPress Mobile Number Signup and Login\u0026quot; plugin. This flaw stems from inadequate authorization and role validation within the \u003ccode\u003edig_update_wpwc_custom_fields()\u003c/code\u003e function. Exploiting this vulnerability allows authenticated attackers, even those with low-privileged Subscriber accounts, to escalate their privileges to full Administrator rights. This is achieved by manipulating the \u003ccode\u003edigits_reg_userrole\u003c/code\u003e parameter during a standard profile update request. The prerequisite for this exploit is that the site administrator must have enabled and configured the built-in DIGITS User Role field. Successful exploitation grants complete control over the affected WordPress instance, posing a significant risk to data integrity, confidentiality, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Authenticated):\u003c/strong\u003e An attacker gains or possesses a valid, authenticated user account with Subscriber-level privileges or higher on a WordPress site running the vulnerable Digits plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProfile Update Request:\u003c/strong\u003e The attacker navigates to their user profile page within the WordPress dashboard, where they would typically update their personal information.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInterception/Manipulation:\u003c/strong\u003e The attacker intercepts the legitimate profile update HTTP POST request sent by their browser to the WordPress server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eParameter Forgery:\u003c/strong\u003e The attacker modifies the intercepted request to include or alter the \u003ccode\u003edigits_reg_userrole\u003c/code\u003e parameter, setting its value to that of an Administrator role (e.g., 'administrator').\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRequest Submission:\u003c/strong\u003e The forged HTTP POST request, containing the manipulated \u003ccode\u003edigits_reg_userrole\u003c/code\u003e value, is then submitted to the \u003ccode\u003edig_update_wpwc_custom_fields()\u003c/code\u003e function on the WordPress server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Due to the missing authorization and role validation in the plugin's function, the server processes the request and updates the attacker's user role to Administrator.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdministrator Access:\u003c/strong\u003e The attacker now has full administrative control over the WordPress site, enabling them to install plugins, themes, modify site content, and access sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13741 results in complete compromise of the affected WordPress site. An attacker gains full Administrator privileges, allowing them to take control of the website. This can lead to unauthorized data access, website defacement, injection of malicious code (e.g., for phishing, malware distribution, or SEO spam), installation of backdoors, complete deletion of site content, or further network penetration. The vulnerability affects a widely used plugin, making numerous WordPress installations susceptible if the built-in DIGITS User Role field is configured. Organizations using this plugin risk significant reputational damage, data breaches, and service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-13741 immediately\u003c/strong\u003e by updating the Digits: WordPress Mobile Number Signup and Login plugin to a version greater than 9.1.0.5.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule below\u003c/strong\u003e to your SIEM solution to detect attempts to exploit the missing authorization in the \u003ccode\u003edig_update_wpwc_custom_fields()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable webserver access logging\u003c/strong\u003e to capture HTTP POST requests, specifically focusing on parameters related to user profile updates and potential role changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T09:17:25Z","date_published":"2026-07-16T09:17:25Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13741/","summary":"The Digits: WordPress Mobile Number Signup and Login plugin is vulnerable to privilege escalation, allowing authenticated attackers with Subscriber-level access to elevate privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, impacting WordPress sites configured with the built-in DIGITS User Role field.","title":"WordPress Digits Plugin Privilege Escalation via Missing Authorization","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13741/"}],"language":"en","title":"CraftedSignal Threat Feed - Digits: WordPress Mobile Number Signup and Login Plugin \u003c= 9.1.0.5","version":"https://jsonfeed.org/version/1.1"}