CVE Alert: CVE-2025-7665 - cyberlord92 - Miniorange OTP Verification with Firebase

CVE-2025-7665

HIGHNo exploitation known

The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ‘handle_mofirebase_form_options’ function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability.

CVSS v3.1 (8.1)

Vendor

cyberlord92

Product

Miniorange OTP Verification with Firebase

Versions

3.1.0 lte 3.6.2

CWE

CWE-862, CWE-862 Missing Authorization

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Published

2025-09-19T12:27:36.481Z

Updated

2025-09-19T13:05:05.787Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a02910-5674-4266-ab6e-7926bf6adecc?source=cve

https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/trunk/handler/forms/class-registrationform.php

AI Summary Analysis

Risk verdict

High risk of unauthenticated privilege escalation on the affected WordPress OTP verification plugin; currently no evidence of active exploitation, but exposure is real and elevated.

Why this matters

An attacker can elevate themselves to Administrator without credentials, enabling full site compromise, backdoor installation, and data exposure. In practice, this undermines site integrity, trust, and regulatory posture, especially for sites handling user authentication or sensitive data.

Most likely attack path

The flaw enables unauthenticated access to a capability-limited function, relying on missing authorization checks. Exploitation requires the plugin to be active (and, per the disclosure, premium features may be involved), with an attacker sending crafted requests to modify the default user role. The CVSS metrics indicate remote, unauthenticated access with high impact, albeit with relatively high attack complexity and no user interaction.

Who is most exposed

WordPress sites using this plugin, particularly those on shared or public hosting with enabled premium features, are at risk. Environments with publicly accessible admin endpoints and OTP flows that rely on the plugin are most exposed.

Detection ideas

Sudden creation or elevation of user accounts to Administrator.
Unusual changes to the default role or plugin configuration via the affected handler.
Logs showing requests to the plugin’s form-options handler without authentication.
Anomalous admin-level actions following login attempts from previously unseen IPs.
WAF or IDS alerts targeting the plugin endpoints.

Mitigation and prioritisation

Update the plugin to a version beyond 3.6.2 or remove it if upgrade isn’t feasible.
If patching, test in staging and apply during a controlled change window; ensure backups.
Enforce least privilege: restrict unauthenticated access and disable premium features if not required.
Apply compensating controls: WAF rules targeting the specific handler, and enhanced monitoring of admin-privilege changes.
Communicate with hosting and change-management teams; verify governance around plugin updates.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-7665, cyberlord92, miniorange-otp-verification-with-firebase, OSINT, threatintel