CVE-2025-13764
BaseFortify
Publication date: 2025-12-11
Last updated on: 2025-12-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | wp_cardealer | 1.2.16 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP CarDealer plugin for WordPress has a vulnerability in its user registration function that allows unauthenticated attackers to register with the 'administrator' role. This happens because the function does not restrict which user roles can be assigned during registration, enabling privilege escalation to administrator access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to gain full administrator access to a WordPress site without authentication. This means the attacker can control the site, modify content, install malicious code, steal data, or disrupt site operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the WP CarDealer plugin to a version later than 1.2.16 where the issue is fixed. Additionally, review and restrict user registration roles to prevent unauthenticated users from registering as administrators.