CVE-2025-11533
BaseFortify
Publication date: 2025-10-11
Last updated on: 2025-10-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wp_freeio | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Freeio plugin for WordPress has a vulnerability in its process_register() function that does not restrict which user roles can be assigned during registration. This allows unauthenticated attackers to register with the 'administrator' role, thereby gaining full administrator access to the site.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain administrator-level access to a WordPress site without authentication. With such access, the attacker can control the site, modify content, steal data, install malicious code, or disrupt site operations, leading to severe security and operational impacts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WP Freeio plugin to a version later than 1.2.21 where the privilege escalation issue is fixed. Additionally, review and restrict user registration roles to prevent unauthenticated users from registering as administrators.