CVE-2025-13559

Critical

Published: 25 November 2025

Published

25 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible…

for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Mitigating Controls (NIST 800-53 r5)AI

AC-2 Account Management good match

prevent

AC-2 mandates processes for managing account creation, enabling, and privilege assignment during registration, directly preventing unauthenticated attackers from self-assigning administrator roles.

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege by restricting user roles and privileges to only those necessary for tasks, blocking arbitrary assignment of elevated roles like administrator during registration.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs such as the unrestricted 'role' parameter in the edukart_pro_register_user_front_end function, ensuring only permitted roles are accepted.

Security SummaryAI

CVE-2025-13559, published on 2025-11-25, is a privilege escalation vulnerability in the EduKart Pro plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw exists in the 'edukart_pro_register_user_front_end' function, which does not restrict the user roles that can be specified during registration, enabling attackers to assign themselves elevated privileges.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows remote attackers to register a new user account with the 'administrator' role, granting full administrative access to the WordPress site and potentially leading to complete compromise (CWE-269: Improper Privilege Management).

Advisories and additional details are available from Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/edit-edukart-online-courses-education-lms-theme/52094805.

Details

CWE(s): CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to perform privilege escalation to administrator (T1068) by creating a local administrator account (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://themeforest.net/item/edit-edukart-online-courses-education-lms-theme/52094805
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve
security@wordfence.com