Plattform
wordpress
Komponente
tiare-membership
Behoben in
1.2.1
CVE-2025-13540 represents a critical Privilege Escalation vulnerability affecting the Tiare Membership plugin for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to the administrator role, effectively compromising the entire WordPress site. The vulnerability impacts versions 1.0.0 through 1.2, and a fix is available in version 1.3.
The impact of this vulnerability is severe. An attacker can exploit it to gain complete control over a WordPress website without needing any prior authentication. This includes the ability to modify content, install malicious plugins, steal sensitive data, and potentially pivot to other systems on the network. The ease of exploitation, combined with the widespread use of WordPress, makes this a high-priority risk. Successful exploitation effectively compromises the entire WordPress installation and any data stored within it.
This vulnerability is considered highly exploitable due to its lack of authentication requirement and the simplicity of the attack. Public proof-of-concept (PoC) code is likely to emerge quickly, further increasing the risk. While no active exploitation campaigns have been confirmed as of the publication date, the ease of exploitation suggests that it is a likely target for malicious actors. This CVE was published on 2025-11-27.
WordPress websites utilizing the Tiare Membership plugin, particularly those with limited security hardening or those running older, unpatched versions of the plugin, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / plugin: Use wp-cli to check the plugin version:
wp plugin list | grep tiare-membership• wordpress / plugin: Search plugin files for the vulnerable function tiaremembershipinitrestapi_register using grep:
grep -r 'tiare_membership_init_rest_api_register' /path/to/wp-content/plugins/tiare-membership/• wordpress / logs: Monitor WordPress access logs for POST requests to /wp-json/tiare-membership/v1/register with suspicious parameters, particularly those attempting to set the role to 'administrator'.
• generic web: Check for unusual user registration patterns via curl:
curl -X POST -d 'username=test&[email protected]&role=administrator' http://your-wordpress-site.com/wp-json/tiare-membership/v1/registerdisclosure
patch
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the Tiare Membership plugin to version 1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to known, trusted administrators. While not a complete solution, this can limit the potential for new, unauthorized administrator accounts. Monitor WordPress logs for suspicious registration attempts, particularly those attempting to assign the 'administrator' role. After upgrading, verify the fix by attempting a new user registration without authentication and confirming that the 'administrator' role cannot be selected.
Aktualisieren Sie auf Version 1.3 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13540 is a critical vulnerability in the Tiare Membership WordPress plugin allowing unauthenticated attackers to gain administrator access by exploiting a flaw in user registration.
If you are using Tiare Membership plugin versions 1.0.0 through 1.2, you are vulnerable. Upgrade to version 1.3 or later to mitigate the risk.
The recommended fix is to upgrade the Tiare Membership plugin to version 1.3 or later. If immediate upgrade is not possible, restrict user registration to trusted administrators.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor your systems closely.
Refer to the official Tiare Membership plugin documentation and WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.