Cyber Posture

CVE-2025-13619

Critical

Published: 20 December 2025

Published
20 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with.…

more

This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated.

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

AC-6 enforces the principle of least privilege, directly preventing unauthenticated attackers from self-assigning administrator roles during registration in the vulnerable plugin.

AC-2 Account Management good match
prevent

AC-2 manages account provisioning and role assignments, requiring restrictions on self-registration to prevent unauthorized privilege escalation via signup functions.

SI-10 Information Input Validation good match
prevent

SI-10 validates user-supplied inputs like the role parameter during registration, blocking arbitrary role specifications such as administrator.

Security SummaryAI

CVE-2025-13619 is a privilege escalation vulnerability affecting the Flex Store Users plugin for WordPress in all versions up to and including 1.1.0. The issue stems from the fsUserHandle::signup and fsSellerRole::add_role_seller functions failing to restrict the user roles that can be assigned during registration. This allows attackers to specify arbitrary roles, such as administrator, upon signup. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management). It can also be triggered via the fs_type parameter if the Flex Store Seller plugin is activated alongside it.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By supplying the administrator role during the registration process, they can gain full administrator access to the WordPress site, enabling complete control over content, users, plugins, themes, and settings.

Advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve, provide additional details on the vulnerability. A related reference appears at https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930, potentially indicating theme integration context.

Details

CWE(s)
CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated attackers to exploit a public-facing WordPress plugin for privilege escalation to administrator via improper role assignment during registration.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References