CVE-2025-7665

8.1 HIGH

Published: September 19, 2025 Modified: April 15, 2026

Description

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/trunk/handler/forms/class-registrationform.php

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a02910-5674-4266-ab6e-7926bf6adecc?source=cve

Source: security@wordfence.com

2 reference(s) from NVD

Quick Stats

CVSS v3 Score

8.1 / 10.0

EPSS (Exploit Probability)

0.1%

30th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-862

Related CVEs

CVE-2026-6842 2.5

CVE-2026-6023 8.1

CVE-2026-6022 7.5

CVE-2026-40542 N/A

CVE-2026-6840 5.5