Description
Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9.
Published: 2026-05-27
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The miniOrange OTP Verification plugin contains an incorrect privilege assignment flaw that permits an attacker to elevate their own user role within a WordPress site. This vulnerability, classified as CWE-266, allows a lower‑privileged account to acquire higher permissions, effectively compromising the site’s administrative controls.

Affected Systems

WordPress installations using the miniOrange OTP Verification plugin version 5.4.9 or earlier are affected. Any site that has not upgraded beyond this version remains vulnerable.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity. EPSS data is currently unavailable, and the issue is not listed in the CISA KEV catalog, indicating no widespread exploits have been reported. The likely attack vector involves HTTP requests to plugin endpoints, potentially requiring an authenticated session to trigger the privilege escalation. Once the flaw is triggered, an attacker can gain full administrative capabilities.

Generated by OpenCVE AI on May 27, 2026 at 11:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade miniOrange OTP Verification to version greater than 5.4.9.
  • Restrict access to the plugin’s administration interfaces to users with administrative roles until the upgrade is applied.
  • If an upgrade cannot be performed immediately, disable the plugin entirely or remove the affected role assignments via WP‑CLI or database repair to prevent exploitation.

Generated by OpenCVE AI on May 27, 2026 at 11:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9.
Title WordPress miniorange otp verification plugin <= 5.4.9 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:54:59.853Z

Reserved: 2026-04-29T09:05:25.569Z

Link: CVE-2026-42731

cve-icon Vulnrichment

Updated: 2026-05-27T10:54:55.172Z

cve-icon NVD

Status : Received

Published: 2026-05-27T11:16:19.600

Modified: 2026-05-27T11:16:19.600

Link: CVE-2026-42731

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses