Critical severity9.8NVD Advisory· Published Oct 17, 2024· Updated Apr 15, 2026

CVE-2024-9863

Description

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.phpnvd
plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verificationnvd
www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000