Platform
wordpress
Component
findall-listing
Fixed in
1.0.6
CVE-2025-13538 represents a critical Privilege Escalation vulnerability within the FindAll Listing plugin for WordPress. This flaw allows unauthenticated attackers to bypass intended access controls and potentially gain administrator privileges on a WordPress site. The vulnerability impacts versions 1.0.0 through 1.0.5 of the plugin, and a fix is available in version 1.1.
The impact of this vulnerability is severe. An attacker can exploit it to gain full administrative control over the affected WordPress site. This control allows them to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially compromise the entire network if the WordPress site has access to other systems. The requirement for the FindAll Membership plugin to also be active narrows the attack surface somewhat, but still represents a significant risk for sites using both plugins. The ease of exploitation, requiring only a crafted registration request, further amplifies the potential for widespread abuse.
This vulnerability was publicly disclosed on 2025-11-27. There are currently no known active campaigns targeting this specific vulnerability, but the ease of exploitation and the critical severity suggest it could become a target. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability is straightforward to understand and exploit, increasing the likelihood of PoC development. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the FindAll Listing plugin to version 1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the FindAll Listing plugin. As a secondary measure, review user registration processes and implement stricter role-based access controls within the FindAll Membership plugin, if possible. Monitor WordPress access logs for suspicious registration attempts, particularly those attempting to assign the 'administrator' role. There are no specific WAF rules or Sigma/YARA patterns readily available for this specific vulnerability, but general WordPress security best practices should be followed.
Update to version 1.1, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13538 is a critical vulnerability in the FindAll Listing WordPress plugin allowing unauthenticated attackers to gain administrator access by manipulating user registration roles, requiring the FindAll Membership plugin to be active.
You are affected if you are using FindAll Listing plugin versions 1.0.0 through 1.0.5 and also have the FindAll Membership plugin installed.
Upgrade the FindAll Listing plugin to version 1.1 or later. If immediate upgrade is not possible, disable the plugin until an upgrade can be performed.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity and ease of exploitation suggest it could become a target.
Refer to the FindAll Listing plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.