[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fpcnCMHULGQlKq35NE4YEHuxWwv5TW60zX8xCxaOJm6I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":20,"research_plan":30,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":31,"research_started_at":32,"research_completed_at":33,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":34},"CVE-2026-42731","miniorange-otp-login-verification-and-sms-notifications-unauthenticated-privilege-escalation","miniOrange OTP Login, Verification and SMS Notifications \u003C= 5.4.9 - Unauthenticated Privilege Escalation","The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.4.9. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.","miniorange-otp-verification",null,"\u003C=5.4.9","5.5.0","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-05-24 00:00:00","2026-05-26 19:55:15",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9d979d09-a019-420e-b46e-b1d1f5e430ae?source=api-prod",3,[22,23,24,25,26,27],"addons\u002Fotpspampreventer\u002Fhandler\u002Fclass-mootpspamintegration.php","addons\u002Fotpspampreventer\u002Fincludes\u002Fjs\u002Fspam-preventer.js","autoload.php","controllers\u002Ftitlebar.php","handler\u002Fclass-moactionhandlerhandler.php","handler\u002Fclass-moregistrationhandler.php","researched",false,"`\n    This is an unauthenticated action.\n    Is there any other frontend script?\n    `autoload.php` defines `VALIDATION_JS_URL`.\n    `MoOtpSpamIntegration` enqueues `mosp_enqueue_frontend_scripts`.\n\nLet's assume the PoC agent will:\n1. Create a page with a miniOrange shortcode (e.g., `[mo_verify_otp]`) to ensure all scripts are loaded.\n2. Visit the page and extract the nonce.\n3. Send the malicious POST request.\n\n**Payload to elevate privileges:**\n- `option=mo_customer_validation_settings`\n- `_wpnonce=[nonce]`\n- `users_can_register=1`\n- `default_role=administrator`\nIf the plugin only allows saving its own options:\n- `mo_customer_validation_wp_default_role=administrator` (guessed name)\nActually, if the plugin is vulnerable to unauthenticated option updates, it's usually because it doesn't filter the keys in `update_option`.\n\nLet's verify the JS variable name for the nonce.\nIn `class-moactionhandlerhandler.php`:\n`$this->nonce = 'mo_admin_actions';`\nIn `controllers\u002Ftitlebar.php`:\n`$nonce = $admin_handler->get_nonce_value();`\nThe titlebar is admin-only.\n\nHowever, many miniOrange plugins have a \"Contact Us\" or \"Support\" form","gemini-3-flash-preview","2026-06-04 21:27:19","2026-06-04 21:29:31",{"type":35,"vulnerable_version":36,"fixed_version":11,"vulnerable_browse":37,"vulnerable_zip":38,"fixed_browse":39,"fixed_zip":40,"all_tags":41},"plugin","5.4.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-otp-verification\u002Ftags\u002F5.4.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-otp-verification.5.4.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-otp-verification\u002Ftags\u002F5.5.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fminiorange-otp-verification.5.5.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fminiorange-otp-verification\u002Ftags"]