CVE-2025-13613

Critical

Published: 10 December 2025

Published

10 December 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0037 58.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the…

'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of software flaws such as this authentication bypass vulnerability in the Elated Membership plugin.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates robust identification and authentication mechanisms for organizational users, preventing bypasses like the improper login handling after verification in the plugin's social network functions.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations, blocking unauthorized administrative logins enabled by the plugin's failure to properly establish user sessions post-verification.

Security SummaryAI

CVE-2025-13613 is an authentication bypass vulnerability affecting the Elated Membership plugin for WordPress in all versions up to and including 1.2. The issue stems from the plugin failing to properly log in a user after data verification through the 'eltdf_membership_check_facebook_user' and 'eltdf_membership_login_user_from_social_network' functions. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-289 (Authentication Bypass by Assumed-Immutable Data).

Unauthenticated attackers can exploit this vulnerability to log in as administrative users, provided they have an existing account on the site—which can be easily created via the default temporary user functionality—and access to the target administrative user's email. Successful exploitation grants full administrative privileges, enabling high-impact confidentiality, integrity, and availability violations, such as data exfiltration, site modification, or complete takeover.

Advisories and further details are available from sources including Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve and the related ThemeForest page for the esMarts theme at https://themeforest.net/item/esmarts-a-modern-education-and-lms-theme/20987760, published on 2025-12-10.

Details

CWE(s): CWE-289

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing WordPress plugin, enabling unauthenticated attackers to gain administrative access, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://themeforest.net/item/esmarts-a-modern-education-and-lms-theme/20987760
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f15dbce4-2e94-4735-b62b-e32d923c51ce?source=cve
security@wordfence.com