CVE-2025-13851
Awaiting Analysis Awaiting Analysis - Queue
Privilege Escalation in Buyent Classified WordPress Plugin via REST API

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-05-07
AI Q&A
2026-02-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-13851
EUVD
EUVD-2025-207827
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
buyent classified to 1.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Buyent Classified plugin for WordPress, which is bundled with the Buyent theme, has a vulnerability in all versions up to and including 1.0.7. This vulnerability allows privilege escalation through the user registration process. Specifically, the plugin does not validate or restrict the user role during registration via its REST API endpoint.

An unauthenticated attacker can exploit this by manipulating the _buyent_classified_user_type parameter during registration to assign themselves any user role, including administrator. This grants the attacker complete control over the WordPress site.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows an attacker to gain administrator-level access without authentication. With such access, the attacker can fully control the WordPress site.

  • Modify, delete, or create content arbitrarily.
  • Install malicious plugins or themes.
  • Access sensitive user data stored on the site.
  • Use the compromised site as a platform for further attacks.
  • Disrupt website availability or functionality.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart