CVE-2024-0203 Overview
The Digits plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting all versions up to and including 8.4.1. The flaw resides in the digits_save_settings function, which fails to validate nonces before processing setting changes. Unauthenticated attackers can craft malicious requests that, when triggered by an authenticated administrator clicking a link, modify the default role assigned to newly registered users. This enables privilege escalation by making new accounts register with elevated permissions. The vulnerability requires user interaction but no prior authentication from the attacker.
Critical Impact
Successful exploitation allows attackers to elevate the default registration role, enabling unauthorized administrative account creation on affected WordPress sites.
Affected Products
- Unitedover Digits plugin for WordPress (versions up to and including 8.4.1)
- WordPress sites with user registration enabled using the Digits plugin
- All WordPress installations running vulnerable Digits plugin versions
Discovery Timeline
- 2024-03-07 - CVE-2024-0203 published to NVD
- 2025-01-21 - Last updated in NVD database
Technical Details for CVE-2024-0203
Vulnerability Analysis
The Digits plugin provides phone number-based registration and login functionality for WordPress. The vulnerability stems from the absence of nonce validation in the digits_save_settings function. WordPress nonces serve as anti-CSRF tokens that bind requests to specific user sessions. Without this validation, the plugin processes administrative setting changes from any request reaching the endpoint with valid administrator authentication cookies.
Attackers exploit this by hosting a page containing a forged request to the plugin's settings handler. When an authenticated administrator visits the attacker-controlled page, the browser automatically attaches session cookies to the cross-origin request. The plugin processes the request as legitimate administrative action and applies the attacker-supplied settings.
The impact extends beyond configuration tampering. By changing the default user role from subscriber to administrator, attackers transform any subsequent self-registration into an administrative account takeover vector.
Root Cause
The root cause is missing CSRF protection in the digits_save_settings function. WordPress provides wp_verify_nonce() and check_admin_referer() functions specifically to prevent this vulnerability class. The Digits plugin omits these checks, leaving the settings endpoint vulnerable to forged requests from any origin.
Attack Vector
Exploitation requires three conditions. First, the target site must run Digits version 8.4.1 or earlier. Second, an administrator must visit an attacker-controlled URL while authenticated to WordPress. Third, the site must permit user registration for the privilege escalation chain to complete. The attacker delivers the malicious link through phishing, comment fields, or compromised third-party sites.
The vulnerability mechanism is described in the Wordfence Vulnerability Analysis. No public proof-of-concept exploit code is available.
Detection Methods for CVE-2024-0203
Indicators of Compromise
- Unexpected changes to the WordPress default user role setting under General Settings
- New administrator accounts created shortly after legitimate administrator browsing activity
- HTTP POST requests to Digits plugin settings endpoints lacking a valid Referer header from the site itself
- Outbound clicks from administrator sessions to unfamiliar external domains preceding configuration changes
Detection Strategies
- Audit the WordPress wp_options table for unauthorized changes to the default_role value
- Review web server access logs for POST requests to Digits administrative endpoints originating from external referrers
- Monitor user registration activity for accounts created with elevated roles
- Compare installed Digits plugin version against the patched release listed in the UnitedOver Changelog
Monitoring Recommendations
- Enable WordPress audit logging to track administrative setting modifications with user attribution
- Alert on any modification to the default user role configuration
- Track new user registrations against expected baseline rates and role assignments
- Forward WordPress and web server logs to a centralized SIEM for correlation with administrator browsing activity
How to Mitigate CVE-2024-0203
Immediate Actions Required
- Update the Digits plugin to a version later than 8.4.1 immediately
- Audit the WordPress default user role setting and reset it to subscriber if altered
- Review the user list for unauthorized administrator accounts and remove them
- Rotate credentials for all administrator accounts as a precaution
Patch Information
UnitedOver released a patched version of the Digits plugin addressing the missing nonce validation in digits_save_settings. Site administrators should review the UnitedOver Changelog for version details and apply the update through the WordPress plugin dashboard or by manual replacement.
Workarounds
- Disable the Digits plugin until the patched version can be installed
- Disable user registration through WordPress General Settings to break the privilege escalation chain
- Restrict administrative access to the WordPress dashboard using IP allowlisting at the web server or WAF level
- Train administrators to avoid clicking unverified links while authenticated to the WordPress admin interface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
