CVE-2026-13741

UnitedOver · Digits: WordPress Mobile Number Signup and Login

The Digits: WordPress Mobile Number Signup and Login plugin contains an improper privilege management flaw allowing authenticated users to escalate privileges.

Executive summary

A privilege escalation vulnerability in the Digits WordPress plugin allows authenticated attackers to gain unauthorized elevated access to affected websites.

Vulnerability

This vulnerability is classified as CWE-269, Improper Privilege Management. It allows a low-privileged authenticated user to perform actions outside their intended scope, potentially gaining administrative control over the WordPress installation.

Business impact

The ability for an authenticated user to escalate privileges poses a severe risk to site integrity and data confidentiality. With a CVSS score of 8.8, this vulnerability is classified as High, as it enables unauthorized administrative access, which can lead to complete site compromise, data exfiltration, or the deployment of malicious content.

Remediation

Immediate Action: Administrators must update the Digits plugin to the latest available version provided by UnitedOver.

Proactive Monitoring: Review user account logs for unexpected role changes or suspicious administrative activity performed by low-privileged accounts.

Compensating Controls: If an update cannot be applied immediately, consider deactivating the plugin or implementing strict access controls to limit user registration and login capabilities until a patch is deployed.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the High severity rating, organizations should prioritize updating the Digits plugin. Privilege escalation flaws often serve as a gateway for deeper network penetration, making immediate remediation essential to maintaining the security posture of the WordPress environment.