Cyber Posture

CVE-2025-13851

Critical

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during…

more

registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of inputs like the _buyent_classified_user_type parameter to prevent attackers from injecting arbitrary roles during REST API registration.

AC-2 Account Management good match
prevent

Mandates proper management of account creation, including validation and restriction of role assignments to authorized levels only, addressing the plugin's registration flaw.

AC-6 Least Privilege good match
prevent

Enforces least privilege by ensuring newly registered users receive only minimal necessary access rights, blocking unauthorized administrator role escalation.

Security SummaryAI

CVE-2025-13851 is a privilege escalation vulnerability in the Buyent Classified plugin for WordPress, which is bundled with the Buyent theme. Affecting all versions up to and including 1.0.7, the issue stems from the plugin's failure to validate or restrict user roles during registration via a REST API endpoint. This flaw, assigned CWE-269 and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allows attackers to manipulate the _buyent_classified_user_type parameter to assign themselves elevated privileges.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By intercepting or crafting a registration request to the REST API endpoint, they can register a new account with an arbitrary role, such as administrator, thereby gaining complete control over the affected WordPress site, including the ability to execute arbitrary code, modify content, or pivot to further compromises.

Advisories detailing the vulnerability, including mitigation guidance, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e618cf-dd77-45a7-ab57-5732fd329883?source=cve. The Buyent theme page on ThemeForest is located at https://themeforest.net/item/buyent-classified-wordpress-theme/32588790. Security practitioners should review these sources for patch information and apply updates promptly to vulnerable installations.

Details

CWE(s)
CWE-269

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated exploitation of a public-facing WordPress plugin REST API endpoint for privilege escalation to administrator maps directly to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References