Plattform
wordpress
Komponente
flex-store-user
Behoben in
1.1.1
CVE-2025-13619 represents a critical Privilege Escalation vulnerability discovered in the Flex Store Users plugin for WordPress. This flaw allows unauthenticated attackers to bypass role restrictions during user registration, potentially granting them administrator privileges. The vulnerability impacts versions 0.0.0 through 1.1.0 of the plugin. A fix is expected in a future release.
The impact of CVE-2025-13619 is severe. Successful exploitation allows an attacker to gain full administrative control over the WordPress site. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially pivot to other systems on the network. The vulnerability's ease of exploitation, requiring only a crafted registration request, significantly increases the risk. The presence of the Flex Store Seller plugin further complicates the attack surface, as the 'fs_type' parameter can be leveraged.
CVE-2025-13619 was publicly disclosed on 2025-12-20. While no public proof-of-concept (PoC) has been released at the time of writing, the vulnerability's simplicity suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Active campaigns targeting WordPress plugins are common, increasing the likelihood of this vulnerability being exploited in the wild.
WordPress sites utilizing the Flex Store Users plugin, particularly those running versions 0.0.0 through 1.1.0, are at significant risk. Shared hosting environments where plugin updates are not managed by the site owner are especially vulnerable. Sites that also have the Flex Store Seller plugin installed are at increased risk due to the exploitation via the 'fs_type' parameter.
• wordpress / composer / npm:
grep -r 'fsUserHandle::signup' /var/www/html/wp-content/plugins/flex-store-users/• wordpress / composer / npm:
grep -r 'fsSellerRole::add_role_seller' /var/www/html/wp-content/plugins/flex-store-users/• wordpress / composer / npm:
wp plugin list | grep 'flex-store-users'• wordpress / composer / npm:
wp plugin status flex-store-usersdisclosure
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-13619 is to upgrade to a patched version of the Flex Store Users plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious parameters, particularly those attempting to assign the 'administrator' role during registration. Additionally, review and restrict user registration permissions within WordPress itself. After applying any mitigation, verify the fix by attempting a user registration with an unauthorized role (e.g., 'administrator') and confirming that the registration fails.
Kein bekannter Patch verfügbar. Bitte überprüfen Sie die Details der Schwachstelle eingehend und setzen Sie Schutzmaßnahmen basierend auf der Risikobereitschaft Ihres Unternehmens um. Es kann am besten sein, die betroffene Software zu deinstallieren und eine Alternative zu finden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-13619 is a critical vulnerability in the Flex Store Users WordPress plugin allowing unauthenticated attackers to gain administrator access by exploiting flawed role assignment during user registration.
If you are using the Flex Store Users plugin for WordPress in versions 0.0.0 through 1.1.0, you are potentially affected by this vulnerability. Check your plugin versions immediately.
The recommended fix is to upgrade the Flex Store Users plugin to a patched version as soon as it becomes available. Temporarily disabling the plugin is a short-term workaround.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a likely target for attackers.
Refer to the official Flex Store Users plugin website or WordPress plugin repository for updates and advisories regarding CVE-2025-13619.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.