PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13741 UnitedOver CVE debrief

The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, granted the site administrator has configured the built-in DIGITS User Role field. The CVE record was published on 2026-07-16T09:16:16.553Z and has not been modified since then.

Vendor
UnitedOver
Product
Digits: WordPress Mobile Number Signup and Login
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of the Digits: WordPress Mobile Number Signup and Login plugin for WordPress, particularly those with Subscriber-level access and above, should be aware of this vulnerability and take steps to mitigate it. This includes administrators who have configured the built-in DIGITS User Role field and operators who may be impacted by potential privilege escalation.

Technical summary

The vulnerability is caused by missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This allows authenticated attackers with Subscriber-level access and above to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update. The affected product is the Digits: WordPress Mobile Number Signup and Login plugin for WordPress, in all versions up to, and including, 9.1.0.5.

Defensive priority

High

Recommended defensive actions

  • Update the Digits: WordPress Mobile Number Signup and Login plugin to a version that is not vulnerable
  • Restrict access to the plugin's functionality to only trusted users
  • Monitor for suspicious activity, such as unexpected privilege escalations
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-16T09:16:16.553Z and has not been modified since then. The NVD entry is currently 8.8 HIGH. There is limited evidence available to confirm affected scope and severity beyond the official CVE record and NVD entry.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:16.553Z and has not been modified since then.