CVE-2025-13559
Published: 25 November 2025
Summary
CVE-2025-13559 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-2 mandates processes for managing account creation, enabling, and privilege assignment during registration, directly preventing unauthenticated attackers from self-assigning administrator roles.
AC-6 enforces least privilege by restricting user roles and privileges to only those necessary for tasks, blocking arbitrary assignment of elevated roles like administrator during registration.
SI-10 requires validation of information inputs such as the unrestricted 'role' parameter in the edukart_pro_register_user_front_end function, ensuring only permitted roles are accepted.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing WordPress plugin (T1190) to perform privilege escalation to administrator (T1068) by creating a local administrator account (T1136.001).
NVD Description
The EduKart Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'edukart_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible…
more
for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Deeper analysisAI
CVE-2025-13559, published on 2025-11-25, is a privilege escalation vulnerability in the EduKart Pro plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw exists in the 'edukart_pro_register_user_front_end' function, which does not restrict the user roles that can be specified during registration, enabling attackers to assign themselves elevated privileges.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows remote attackers to register a new user account with the 'administrator' role, granting full administrative access to the WordPress site and potentially leading to complete compromise (CWE-269: Improper Privilege Management).
Advisories and additional details are available from Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a5be68-8073-48b0-a536-bb3a05e83dda?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/edit-edukart-online-courses-education-lms-theme/52094805.
Details
- CWE(s)