Cyber Resilience

CVE-2025-13563

Critical

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-13563 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-13563 is a privilege escalation vulnerability in the Lizza LMS Pro plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw arises in the 'lizza_lms_pro_register_user_front_end' function, which does not restrict the user roles that can be assigned during front-end registration, allowing arbitrary role specification.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By supplying the 'administrator' role during registration, they gain full administrator access to the site, enabling high-impact confidentiality, integrity, and availability violations, as reflected in the CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-269 (Improper Privilege Management).

Advisories from Wordfence detail the issue and recommend mitigation. Security practitioners should consult the Wordfence threat intelligence report and the plugin's ThemeForest page for patching guidance, with updates to versions beyond 1.0.3 addressing the vulnerability where available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it…

more

possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a privilege escalation in a public-facing WordPress plugin, allowing unauthenticated attackers to gain administrator access, directly enabling T1068 (Exploitation for Privilege Escalation) and T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12281Shared CWE-269
CVE-2025-15403Shared CWE-269
CVE-2025-13538Shared CWE-269
CVE-2024-57602Shared CWE-269
CVE-2026-2631Shared CWE-269
CVE-2025-13542Shared CWE-269
CVE-2025-15027Shared CWE-269
CVE-2025-22937Shared CWE-269
CVE-2025-0180Shared CWE-269
CVE-2025-6758Shared CWE-269

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege to prevent assignment of administrator roles during unauthenticated user registration.

prevent

Manages account creation processes to restrict self-registration to authorized roles only, blocking arbitrary role specification.

prevent

Validates user-supplied role inputs in the registration function to reject unauthorized roles like administrator.

References