CVE-2025-11533

CVE-2025-11533 is a privilege escalation vulnerability in the WP Freeio plugin for WordPress, affecting all versions up to and including 1.2.21. The flaw arises in the process_register() function, which does not restrict the user roles that can be assigned during registration. This allows attackers to specify arbitrary roles, such as 'administrator', upon creating a new account.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-269 (Improper Privilege Management). By supplying the 'administrator' role during the registration process, they gain full administrative access to the site, enabling actions such as data exfiltration, modification, or execution of arbitrary code.

Advisories from Wordfence provide further details on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/0db85f84-04e9-42eb-a16b-96554fbfd186?source=cve, while the plugin's ThemeForest page is available at https://themeforest.net/item/freeio-freelance-marketplace-wordpress-theme/42045416. Security practitioners should consult these sources for patch availability and mitigation guidance, such as updating to a fixed version.