CVE-2025-13540

Critical

Published: 27 November 2025

Published

27 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare_membership_init_rest_api_register' function not restricting what user roles a user can register with. This makes it possible…

for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege, preventing assignment of excessive roles like administrator to unauthenticated users during registration.

AC-2 Account Management good match

prevent

AC-2 manages account lifecycle including creation and role assignment, ensuring restrictions on self-registration to authorized roles only.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of inputs like the role parameter in REST API registration requests to reject unauthorized values such as 'administrator'.

Security SummaryAI

CVE-2025-13540 is a privilege escalation vulnerability in the Tiare Membership plugin for WordPress, affecting all versions up to and including 1.2. The flaw arises in the 'tiare_membership_init_rest_api_register' function, which does not restrict the user roles that can be supplied during registration, allowing arbitrary role assignment. It is classified under CWE-269 (Improper Privilege Management) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no prior privileges or user interaction needed. By submitting a registration request via the REST API endpoint and specifying the 'administrator' role, attackers can create an account with full administrative privileges, enabling complete control over the WordPress site, including data access, modification, and deletion.

Advisories detailing the issue are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve and the Tiare Wedding Vendor Directory Theme page on ThemeForest at https://themeforest.net/item/tiare-wedding-vendor-directory-theme/26589165?s_rank=1. The CVE was published on 2025-11-27T05:16:14.293.

Details

CWE(s): CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing WordPress plugin vulnerability enables arbitrary administrator role assignment during registration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://themeforest.net/item/tiare-wedding-vendor-directory-theme/26589165?s_rank=1
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6cf01a38-1fba-4c93-b3fa-acfdd5b19410?source=cve
security@wordfence.com