Cyber Resilience

CVE-2025-13559

Critical

Published: 25 November 2025

Published
25 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13559 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-13559, published on 2025-11-25, is a privilege escalation vulnerability in the EduKart Pro plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw exists in the 'edukart_pro_register_user_front_end' function, which does not restrict the user roles that can be specified during registration, enabling attackers to assign themselves elevated privileges.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows remote attackers to register a new user account with the 'administrator' role, granting full administrative access to the WordPress site and potentially leading to complete compromise (CWE-269: Improper Privilege Management).

Advisories and additional details are available from Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/edit-edukart-online-courses-education-lms-theme/52094805.

EU & UK References

Vulnerability details

The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible…

more

for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to perform privilege escalation to administrator (T1068) by creating a local administrator account (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11457Shared CWE-269
CVE-2026-7467Shared CWE-269
CVE-2025-5954Shared CWE-269
CVE-2026-0920Shared CWE-269
CVE-2026-8809Shared CWE-269
CVE-2024-11951Shared CWE-269
CVE-2026-4880Shared CWE-269
CVE-2026-26725Shared CWE-269
CVE-2025-8572Shared CWE-269
CVE-2026-6226Shared CWE-269

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-2 mandates processes for managing account creation, enabling, and privilege assignment during registration, directly preventing unauthenticated attackers from self-assigning administrator roles.

prevent

AC-6 enforces least privilege by restricting user roles and privileges to only those necessary for tasks, blocking arbitrary assignment of elevated roles like administrator during registration.

prevent

SI-10 requires validation of information inputs such as the unrestricted 'role' parameter in the edukart_pro_register_user_front_end function, ensuring only permitted roles are accepted.

References