Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13741

CVE-2026-13741: Digits Plugin Privilege Escalation Flaw

CVE-2026-13741 is a privilege escalation vulnerability in the Digits WordPress plugin allowing subscribers to gain administrator access. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-13741 Overview

CVE-2026-13741 is a privilege escalation vulnerability in the Digits: WordPress Mobile Number Signup and Login plugin. The flaw affects all versions up to and including 9.1.0.5. The vulnerability resides in the dig_update_wpwc_custom_fields() function, which lacks proper authorization and role validation. Authenticated attackers with Subscriber-level access can escalate privileges to Administrator by submitting a forged digits_reg_userrole value during a profile update. Exploitation requires the site administrator to have configured the built-in DIGITS User Role field. The issue is classified under [CWE-269] Improper Privilege Management.

Critical Impact

Any authenticated user, including low-privilege Subscribers, can gain full Administrator access to affected WordPress sites, leading to complete site compromise.

Affected Products

  • Digits: WordPress Mobile Number Signup and Login plugin — all versions through 9.1.0.5
  • WordPress sites using the built-in DIGITS User Role field configuration
  • Any WordPress deployment permitting Subscriber-level or higher registrations with the plugin installed

Discovery Timeline

  • 2026-07-16 - CVE-2026-13741 published to NVD
  • 2026-07-16 - Last updated in NVD database

Technical Details for CVE-2026-13741

Vulnerability Analysis

The Digits plugin extends WordPress registration and login using mobile numbers. It exposes profile update endpoints that call dig_update_wpwc_custom_fields(). This function processes user-submitted profile fields, including the digits_reg_userrole parameter tied to the DIGITS User Role feature. The function does not verify whether the requesting user is authorized to assign roles. It also fails to validate that the submitted role value is within an allowed set. Authenticated attackers with any role above unauthenticated, such as Subscriber, can submit the field with the value administrator. The plugin then assigns the requested role to the caller's own account.

Root Cause

The root cause is missing authorization and role validation inside dig_update_wpwc_custom_fields(). The function trusts the digits_reg_userrole parameter supplied via the profile update request. WordPress capability checks such as current_user_can('promote_users') are not enforced. No allow-list constrains the role value. This aligns with [CWE-269] Improper Privilege Management. The behavior only surfaces when administrators have enabled the built-in DIGITS User Role field for registration or profile flows.

Attack Vector

Exploitation is network-based and requires an authenticated account. The attacker registers or uses an existing Subscriber account. The attacker then issues a profile update request to the plugin's endpoint, injecting digits_reg_userrole=administrator. The server applies the role change to the attacker's user. Once elevated, the attacker can install plugins, execute PHP through theme editing, exfiltrate data, or plant persistent backdoors. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2026-13741

Indicators of Compromise

  • HTTP POST requests to Digits profile update endpoints containing the parameter digits_reg_userrole with values such as administrator, editor, or shop_manager
  • Unexpected set_user_role or wp_capabilities changes in the wp_usermeta table for accounts recently registered as Subscriber
  • New Administrator accounts created shortly after low-privilege registration events
  • Plugin, theme, or wp_options modifications performed by users with recent role changes

Detection Strategies

  • Audit the wp_usermeta table for wp_capabilities values that changed from subscriber to administrator without a corresponding admin action
  • Inspect web server logs for POST requests to Digits plugin endpoints containing digits_reg_userrole in the request body
  • Correlate WordPress user_register events with subsequent role escalations within a short time window

Monitoring Recommendations

  • Enable WordPress audit logging to capture role assignments, user creations, and plugin or theme file edits
  • Forward WordPress and web server logs to a centralized SIEM for correlation and alerting on role change anomalies
  • Alert on any privilege escalation for accounts less than 24 hours old

How to Mitigate CVE-2026-13741

Immediate Actions Required

  • Update the Digits plugin to a patched release beyond 9.1.0.5 as soon as it is available from the vendor
  • Disable the Digits plugin if a patched version is not yet installable in your environment
  • Audit existing WordPress users for unexpected Administrator or elevated roles and revoke unauthorized privileges
  • Rotate credentials and API keys for any account that showed suspicious role changes

Patch Information

Refer to the UnitedOver Changelog for the fixed release information. Apply the vendor-supplied update that adds authorization checks and role allow-list validation inside dig_update_wpwc_custom_fields(). Verify the plugin version in the WordPress admin dashboard after applying the update.

Workarounds

  • Disable the DIGITS User Role field in the plugin configuration to remove the exploitable code path
  • Restrict new user registration to trusted networks using a web application firewall rule
  • Block requests containing the digits_reg_userrole parameter at the WAF or reverse proxy until the patch is applied
  • Set the WordPress default registration role to subscriber and enforce manual approval for role changes

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.