{"api_version":"1","generated_at":"2026-04-22T23:09:25+00:00","cve":"CVE-2024-9863","urls":{"html":"https://cve.report/CVE-2024-9863","api":"https://cve.report/api/cve/CVE-2024-9863.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-9863","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-9863"},"summary":{"title":"Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value","description":"The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-10-17 02:15:04","updated_at":"2026-04-08 19:22:43"},"problem_types":["CWE-266","CWE-266 CWE-266 Incorrect Privilege Assignment"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194","name":"https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4","name":"https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-9863","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-9863","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"cyberlord92","product":"Miniorange OTP Verification with Firebase","version":"affected 3.6.0 semver","platforms":[]},{"source":"ADP","vendor":"miniorange","product":"otp_verification","version":"affected 3.6.0 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-10-11T00:00:00.000Z","lang":"en","value":"Discovered"},{"source":"CNA","time":"2024-10-11T00:00:00.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2024-10-16T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"István Márton","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"9863","cve":"CVE-2024-9863","epss":"0.006770000","percentile":"0.714950000","score_date":"2026-04-13","updated_at":"2026-04-14 00:12:06"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"cpes":["cpe:2.3:a:miniorange:otp_verification:*:*:*:*:*:*:*:*"],"defaultStatus":"unaffected","product":"otp_verification","vendor":"miniorange","versions":[{"lessThanOrEqual":"3.6.0","status":"affected","version":"0","versionType":"semver"}]}],"metrics":[{"other":{"content":{"id":"CVE-2024-9863","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2024-10-17T15:23:48.056528Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-10-17T15:48:42.152Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Miniorange OTP Verification with Firebase","vendor":"cyberlord92","versions":[{"lessThanOrEqual":"3.6.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"István Márton"}],"descriptions":[{"lang":"en","value":"The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled."}],"metrics":[{"cvssV3_1":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-266","description":"CWE-266 Incorrect Privilege Assignment","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:32:12.679Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/f04eab14-dd86-4145-b5eb-20d064bc8417?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/miniorange-firebase-sms-otp-verification/tags/3.6.0/handler/forms/class-registrationform.php#L194"},{"url":"https://plugins.trac.wordpress.org/changeset/3169869/miniorange-firebase-sms-otp-verification#file4"}],"timeline":[{"lang":"en","time":"2024-10-11T00:00:00.000Z","value":"Discovered"},{"lang":"en","time":"2024-10-11T00:00:00.000Z","value":"Vendor Notified"},{"lang":"en","time":"2024-10-16T00:00:00.000Z","value":"Disclosed"}],"title":"Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-9863","datePublished":"2024-10-17T02:06:05.842Z","dateReserved":"2024-10-11T12:46:24.289Z","dateUpdated":"2026-04-08T17:32:12.679Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-10-17 02:15:04","lastModifiedDate":"2026-04-08 19:22:43","problem_types":["CWE-266","CWE-266 CWE-266 Incorrect Privilege Assignment"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"9863","Ordinal":"1","Title":"Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege E","CVE":"CVE-2024-9863","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"9863","Ordinal":"1","NoteData":"The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.","Type":"Description","Title":"Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege E"}]}}}