CVE-2025-13851
Published: 19 February 2026
Summary
CVE-2025-13851 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of inputs like the _buyent_classified_user_type parameter to prevent attackers from injecting arbitrary roles during REST API registration.
Mandates proper management of account creation, including validation and restriction of role assignments to authorized levels only, addressing the plugin's registration flaw.
Enforces least privilege by ensuring newly registered users receive only minimal necessary access rights, blocking unauthorized administrator role escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exploitation of a public-facing WordPress plugin REST API endpoint for privilege escalation to administrator maps directly to T1190: Exploit Public-Facing Application.
NVD Description
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during…
more
registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
Deeper analysisAI
CVE-2025-13851 is a privilege escalation vulnerability in the Buyent Classified plugin for WordPress, which is bundled with the Buyent theme. Affecting all versions up to and including 1.0.7, the issue stems from the plugin's failure to validate or restrict user roles during registration via a REST API endpoint. This flaw, assigned CWE-269 and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allows attackers to manipulate the _buyent_classified_user_type parameter to assign themselves elevated privileges.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By intercepting or crafting a registration request to the REST API endpoint, they can register a new account with an arbitrary role, such as administrator, thereby gaining complete control over the affected WordPress site, including the ability to execute arbitrary code, modify content, or pivot to further compromises.
Advisories detailing the vulnerability, including mitigation guidance, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e618cf-dd77-45a7-ab57-5732fd329883?source=cve. The Buyent theme page on ThemeForest is located at https://themeforest.net/item/buyent-classified-wordpress-theme/32588790. Security practitioners should review these sources for patch information and apply updates promptly to vulnerable installations.
Details
- CWE(s)