WordPress · Digits: Wordpress Mobile Number Signup/Login · CVE-2025-4094
**Name of the Vulnerable Software and Affected Versions**
The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin versions prior to 8.4.6.1
**Description**
The issue concerns the lack of rate limiting for OTP validation attempts, making it possible for attackers to brute force them.
**Recommendations**
For versions prior to 8.4.6.1, update to version 8.4.6.1 or later to resolve the issue. As a temporary workaround, consider implementing custom rate limiting for OTP validation attempts until the official update can be applied. Restrict access to the OTP validation endpoint to minimize the risk of exploitation. Avoid using the OTP validation feature in the affected plugin until the issue is resolved.