CVE-2025-13563
Published: 19 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-13563 is a privilege escalation vulnerability in the Lizza LMS Pro plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw arises in the 'lizza_lms_pro_register_user_front_end' function, which does not restrict the user roles that can be assigned during front-end registration, allowing arbitrary role specification.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By supplying the 'administrator' role during registration, they gain full administrator access to the site, enabling high-impact confidentiality, integrity, and availability violations, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-269 (Improper Privilege Management).
Advisories from Wordfence detail the issue and recommend mitigation. Security practitioners should consult the Wordfence threat intelligence report and the plugin's ThemeForest page for patching guidance, with updates to versions beyond 1.0.3 addressing the vulnerability where available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a privilege escalation in a public-facing WordPress plugin, allowing unauthenticated attackers to gain administrator access, directly enabling T1068 (Exploitation for Privilege Escalation) and T1190 (Exploit Public-Facing Application).