CVE-2025-13619
Published: 20 December 2025
Summary
CVE-2025-13619 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-6 enforces the principle of least privilege, directly preventing unauthenticated attackers from self-assigning administrator roles during registration in the vulnerable plugin.
AC-2 manages account provisioning and role assignments, requiring restrictions on self-registration to prevent unauthorized privilege escalation via signup functions.
SI-10 validates user-supplied inputs like the role parameter during registration, blocking arbitrary role specifications such as administrator.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated attackers to exploit a public-facing WordPress plugin for privilege escalation to administrator via improper role assignment during registration.
NVD Description
The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with.…
more
This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated.
Deeper analysisAI
CVE-2025-13619 is a privilege escalation vulnerability affecting the Flex Store Users plugin for WordPress in all versions up to and including 1.1.0. The issue stems from the fsUserHandle::signup and fsSellerRole::add_role_seller functions failing to restrict the user roles that can be assigned during registration. This allows attackers to specify arbitrary roles, such as administrator, upon signup. The vulnerability is rated with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management). It can also be triggered via the fs_type parameter if the Flex Store Seller plugin is activated alongside it.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By supplying the administrator role during the registration process, they can gain full administrator access to the WordPress site, enabling complete control over content, users, plugins, themes, and settings.
Advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve, provide additional details on the vulnerability. A related reference appears at https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930, potentially indicating theme integration context.
Details
- CWE(s)