Cyber Resilience

CVE-2025-13851

Critical

Published: 19 February 2026

Published
19 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-13851 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-13851 is a privilege escalation vulnerability in the Buyent Classified plugin for WordPress, which is bundled with the Buyent theme. Affecting all versions up to and including 1.0.7, the issue stems from the plugin's failure to validate or restrict user roles during registration via a REST API endpoint. This flaw, assigned CWE-269 and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), allows attackers to manipulate the _buyent_classified_user_type parameter to assign themselves elevated privileges.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By intercepting or crafting a registration request to the REST API endpoint, they can register a new account with an arbitrary role, such as administrator, thereby gaining complete control over the affected WordPress site, including the ability to execute arbitrary code, modify content, or pivot to further compromises.

Advisories detailing the vulnerability, including mitigation guidance, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e618cf-dd77-45a7-ab57-5732fd329883?source=cve. The Buyent theme page on ThemeForest is located at https://themeforest.net/item/buyent-classified-wordpress-theme/32588790. Security practitioners should review these sources for patch information and apply updates promptly to vulnerable installations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during…

more

registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated exploitation of a public-facing WordPress plugin REST API endpoint for privilege escalation to administrator maps directly to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-13540Shared CWE-269
CVE-2026-2144Shared CWE-269
CVE-2026-7284Shared CWE-269
CVE-2026-7465Shared CWE-269
CVE-2024-12281Shared CWE-269
CVE-2025-15403Shared CWE-269
CVE-2025-13538Shared CWE-269
CVE-2026-43886Shared CWE-269
CVE-2024-57602Shared CWE-269
CVE-2025-15030Shared CWE-269

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs like the _buyent_classified_user_type parameter to prevent attackers from injecting arbitrary roles during REST API registration.

prevent

Mandates proper management of account creation, including validation and restriction of role assignments to authorized levels only, addressing the plugin's registration flaw.

prevent

Enforces least privilege by ensuring newly registered users receive only minimal necessary access rights, blocking unauthorized administrator role escalation.

References