Plattform
wordpress
Komponente
designthemes-lms
Behoben in
1.0.5
CVE-2025-13542 describes a critical Privilege Escalation vulnerability within the DesignThemes LMS plugin for WordPress. This flaw allows unauthenticated attackers to bypass role restrictions during user registration, potentially granting them administrator privileges. The vulnerability impacts versions 1.0.0 through 1.0.4 of the plugin. A patch, version 1.0.5, has been released to address this issue.
The impact of this vulnerability is severe. An unauthenticated attacker can exploit this flaw to register on the WordPress site with the 'administrator' role, effectively gaining complete control over the site. This includes the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire WordPress installation. The attacker could also use this access to pivot to other systems on the network if the WordPress server has access to them. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for significant data breaches and service disruptions.
CVE-2025-13542 was publicly disclosed on December 2, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation makes it likely that PoCs will emerge. The vulnerability's criticality and ease of exploitation suggest a medium probability of exploitation, although it has not yet been added to the CISA KEV catalog.
WordPress sites utilizing the DesignThemes LMS plugin, particularly those running versions 1.0.0 through 1.0.4, are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites with legacy WordPress configurations or those lacking robust security practices are also at higher risk.
• wordpress / composer / npm:
grep -r 'dtlms_register_user_front_end' /var/www/html/wp-content/plugins/designthemes-lms/• wordpress / composer / npm:
wp plugin list --status=inactive | grep designthemes-lms• wordpress / composer / npm:
wp plugin update designthemes-lms --all• generic web: Check WordPress plugin directory for updated version of DesignThemes LMS.
disclosure
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13542 is to immediately upgrade the DesignThemes LMS plugin to version 1.0.5 or later. If an immediate upgrade is not feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While not a complete solution, restricting user registration roles through WordPress's built-in capabilities or a third-party plugin can limit the potential impact. Regularly review user accounts and permissions for any suspicious activity. After upgrading, confirm the fix by attempting a user registration with an administrator role and verifying that the registration fails.
Aktualisieren Sie auf Version 1.0.5 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13542 is a critical vulnerability allowing unauthenticated attackers to gain administrator access to WordPress sites using the DesignThemes LMS plugin by exploiting a flaw in user registration.
If you are using DesignThemes LMS versions 1.0.0 through 1.0.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the DesignThemes LMS plugin to version 1.0.5 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a medium probability of exploitation and active monitoring is recommended.
Refer to the DesignThemes LMS website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.