Cyber Resilience

CVE-2025-13313

Critical

Published: 05 December 2025

Published
05 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13313 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-13313 is a privilege escalation vulnerability in the CRM Memberships plugin for WordPress, affecting all versions up to and including 2.6. The issue arises from missing authorization and authentication checks on the ntzcrm_changepassword AJAX action, which allows unauthenticated attackers to reset arbitrary user passwords provided they can obtain or enumerate a target user's email address. The plugin also exposes the ntzcrm_get_users endpoint without authentication, enabling attackers to enumerate subscriber email addresses and facilitate exploitation of the password reset flaw. It is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity and no user interaction or privileges required. The attack begins with querying the ntzcrm_get_users endpoint to enumerate subscriber email addresses, followed by sending a request to the ntzcrm_changepassword endpoint to reset the password of a targeted user account. Successful exploitation grants unauthorized access to the victim's WordPress account, potentially leading to full site compromise depending on the user's privileges.

The provided references link to source code locations in the CRM Memberships plugin version 2.5 on the WordPress plugin trac repository, specifically lines in class-ntzcrm-api.php (L12, L63, L795), class-ntzcrm-dbquery.php (L287), and ntzcrm-memberships.php (L42), which illustrate the lacking authentication checks and exposed endpoints. No explicit advisories or patch details are included in the available information.

EU & UK References

Vulnerability details

The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible…

more

for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to enumerate emails and reset arbitrary user passwords, enabling privilege escalation from no privileges to administrator (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4100Shared CWE-862
CVE-2026-32501Shared CWE-862
CVE-2025-31194Shared CWE-862
CVE-2026-6963Shared CWE-862
CVE-2024-9195Shared CWE-862
CVE-2025-6380Shared CWE-862
CVE-2026-0506Shared CWE-862
CVE-2025-2110Shared CWE-862
CVE-2025-27270Shared CWE-862
CVE-2026-6510Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces missing authorization and authentication checks on the ntzcrm_changepassword and ntzcrm_get_users AJAX endpoints, preventing unauthenticated privilege escalation and email enumeration.

prevent

Prohibits sensitive actions like arbitrary password resets and user email enumeration from being permitted without identification or authentication.

prevent

Requires identity verification and secure procedures for authenticator resets, blocking unauthorized password changes via the vulnerable endpoint.

References