<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>The Digits - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/the-digits/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 09:17:25 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/the-digits/feed.xml" rel="self" type="application/rss+xml"/><item><title>WordPress Digits Plugin Privilege Escalation via Missing Authorization</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13741/</link><pubDate>Thu, 16 Jul 2026 09:17:25 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-13741/</guid><description>The Digits: WordPress Mobile Number Signup and Login plugin is vulnerable to privilege escalation, allowing authenticated attackers with Subscriber-level access to elevate privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, impacting WordPress sites configured with the built-in DIGITS User Role field.</description><content:encoded><![CDATA[<p>A critical privilege escalation vulnerability, tracked as CVE-2026-13741, affects all versions up to and including 9.1.0.5 of the &quot;Digits: WordPress Mobile Number Signup and Login&quot; plugin. This flaw stems from inadequate authorization and role validation within the <code>dig_update_wpwc_custom_fields()</code> function. Exploiting this vulnerability allows authenticated attackers, even those with low-privileged Subscriber accounts, to escalate their privileges to full Administrator rights. This is achieved by manipulating the <code>digits_reg_userrole</code> parameter during a standard profile update request. The prerequisite for this exploit is that the site administrator must have enabled and configured the built-in DIGITS User Role field. Successful exploitation grants complete control over the affected WordPress instance, posing a significant risk to data integrity, confidentiality, and availability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access (Authenticated):</strong> An attacker gains or possesses a valid, authenticated user account with Subscriber-level privileges or higher on a WordPress site running the vulnerable Digits plugin.</li>
<li><strong>Profile Update Request:</strong> The attacker navigates to their user profile page within the WordPress dashboard, where they would typically update their personal information.</li>
<li><strong>Interception/Manipulation:</strong> The attacker intercepts the legitimate profile update HTTP POST request sent by their browser to the WordPress server.</li>
<li><strong>Parameter Forgery:</strong> The attacker modifies the intercepted request to include or alter the <code>digits_reg_userrole</code> parameter, setting its value to that of an Administrator role (e.g., 'administrator').</li>
<li><strong>Request Submission:</strong> The forged HTTP POST request, containing the manipulated <code>digits_reg_userrole</code> value, is then submitted to the <code>dig_update_wpwc_custom_fields()</code> function on the WordPress server.</li>
<li><strong>Privilege Escalation:</strong> Due to the missing authorization and role validation in the plugin's function, the server processes the request and updates the attacker's user role to Administrator.</li>
<li><strong>Administrator Access:</strong> The attacker now has full administrative control over the WordPress site, enabling them to install plugins, themes, modify site content, and access sensitive information.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-13741 results in complete compromise of the affected WordPress site. An attacker gains full Administrator privileges, allowing them to take control of the website. This can lead to unauthorized data access, website defacement, injection of malicious code (e.g., for phishing, malware distribution, or SEO spam), installation of backdoors, complete deletion of site content, or further network penetration. The vulnerability affects a widely used plugin, making numerous WordPress installations susceptible if the built-in DIGITS User Role field is configured. Organizations using this plugin risk significant reputational damage, data breaches, and service disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-13741 immediately</strong> by updating the Digits: WordPress Mobile Number Signup and Login plugin to a version greater than 9.1.0.5.</li>
<li><strong>Deploy the Sigma rule below</strong> to your SIEM solution to detect attempts to exploit the missing authorization in the <code>dig_update_wpwc_custom_fields()</code> function.</li>
<li><strong>Enable webserver access logging</strong> to capture HTTP POST requests, specifically focusing on parameters related to user profile updates and potential role changes.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>privilege-escalation</category><category>web-vulnerability</category><category>cve</category></item></channel></rss>