A high-severity privilege escalation vulnerability exists in the Miniorange OTP Verification with Firebase plugin for WordPress. This flaw allows a low-privileged attacker, such as a subscriber, to gain administrative control over an affected website. Successful exploitation could lead to a complete site compromise, data theft, or malware distribution.

The vulnerability is due to a missing capability check within the handle_mofirebase_form_options function. This function fails to verify if the user executing it has the appropriate administrative permissions. An authenticated, low-privilege attacker can send a specially crafted request to this function to modify plugin settings, escalate their own privileges to an administrator level, and gain full control over the WordPress site.

This vulnerability is rated as High severity with a CVSS score of 8.1. A successful exploit could have a significant business impact, leading to a full compromise of the organization's website. Potential consequences include reputational damage from website defacement, theft of sensitive customer or business data, financial loss, and the use of the compromised server to host phishing pages or malware. The ease of exploitation for an authenticated user elevates the risk to any public-facing WordPress site using the vulnerable plugin.

Immediate Action: Immediately update the "Miniorange OTP Verification with Firebase" plugin to the latest patched version provided by the vendor. After updating, review all user accounts, especially those with high privileges, for any unauthorized changes. As a best practice, audit all installed plugins and remove any that are no longer necessary to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for direct POST requests to the administrative functions of the plugin, particularly those involving the handle_mofirebase_form_options action. Investigate any such requests originating from users without administrative privileges. Implement monitoring to detect and alert on unauthorized changes to user roles and permissions within the WordPress database.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) rule to block access to the vulnerable function from non-administrative users. Alternatively, temporarily disable the plugin until it can be safely updated to a secure version.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the critical impact of a privilege escalation vulnerability, it is strongly recommended that organizations prioritize the immediate patching of this flaw. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants urgent attention. All instances of the Miniorange OTP Verification with Firebase plugin should be updated without delay to prevent potential website compromise.