CVE-2026-42731

Vulnerability

The miniOrange OTP Verification WordPress plugin (versions from n/a through 5.4.9) contains an Incorrect Privilege Assignment vulnerability [1]. This flaw allows privilege escalation, enabling an attacker with a low-privileged account (e.g., subscriber) to gain higher roles. The vulnerability exists in the plugin's access control logic, which does not properly validate or restrict role assignment during OTP verification processes.

Exploitation

An attacker needs only a low-privileged WordPress account (such as a subscriber or customer) to exploit the vulnerability [1]. No additional network position or authentication bypass is required beyond that initial account. The attacker can trigger the privilege escalation by sending crafted requests to the plugin's AJAX endpoints or role assignment functions, causing the plugin to upgrade the attacker's role to administrator or another high-privilege level.

Impact

Successful exploitation allows the attacker to escalate their privileges to an administrator or other high-level role [1]. This grants full control over the WordPress site, including the ability to modify content, install malicious plugins, create new admin accounts, or exfiltrate data. The vulnerability is rated Critical with a CVSS v3 score of 9.8, indicating severe confidentiality, integrity, and availability impact [1]. Mass-exploit campaigns are expected.

Mitigation

Update the plugin to version 5.5.0 or later to resolve the vulnerability [1]. If immediate update is not possible, Patchstack has issued a mitigation rule to block attacks [1]. Users can also enable auto-updates for vulnerable plugins via Patchstack. No other workarounds are provided in the references.