PT-2026-60430 · WordPress · Digits

·

CVE-2026-13741

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Digits: WordPress Mobile Number Signup and Login versions prior to 9.1.0.6
Description Privilege escalation is possible for authenticated users with Subscriber-level access and above. The issue stems from missing authorization and role validation within the dig update wpwc custom fields() function. An attacker can elevate their privileges to Administrator by submitting a forged digits reg userrole value during a profile update, provided the site administrator has enabled the built-in DIGITS User Role field.
Recommendations Update to a version newer than 9.1.0.5. As a temporary mitigation, disable the built-in DIGITS User Role field configuration.

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-13741

Affected Products

Digits