CVE-2025-13559
BaseFortify
Publication date: 2025-11-25
Last updated on: 2025-11-25
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| edukart | pro_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the EduKart Pro WordPress plugin (versions up to 1.0.3) where the function 'edukart_pro_register_user_front_end' does not restrict the user roles that can be assigned during registration. As a result, an unauthenticated attacker can register with the 'administrator' role and gain full administrator access to the site.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain administrator privileges on the affected WordPress site without authentication. This allows them to fully control the site, including modifying content, installing malicious code, stealing data, or disrupting services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the EduKart Pro plugin to a version later than 1.0.3 where the privilege escalation issue is fixed. If an update is not available, restrict user registration or disable the vulnerable registration function 'edukart_pro_register_user_front_end' to prevent unauthenticated users from registering with the 'administrator' role.