Platform
wordpress
Component
tiare-membership
Fixed in
1.2.1
CVE-2025-13540 represents a critical Privilege Escalation vulnerability affecting the Tiare Membership plugin for WordPress. This flaw allows unauthenticated attackers to escalate their privileges to the administrator role, effectively compromising the entire WordPress site. The vulnerability impacts versions 1.0.0 through 1.2, and a fix is available in version 1.3.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-13540 can gain complete control over the affected WordPress site. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial details), and potentially pivot to other systems on the network. The lack of authentication required for privilege escalation significantly broadens the attack surface, making this a high-priority concern. Successful exploitation could lead to data breaches, website defacement, and significant reputational damage. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper role assignment during user registration is exploited.
CVE-2025-13540 was publicly disclosed on 2025-11-27. The vulnerability's ease of exploitation, coupled with the widespread use of WordPress, suggests a potential for active exploitation. Currently, no public proof-of-concept (PoC) code has been released, but the simplicity of the attack vector makes it likely that one will emerge. The vulnerability has not yet been added to the CISA KEV catalog, but its criticality warrants close monitoring.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13540 is to immediately upgrade the Tiare Membership plugin to version 1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting user registration to trusted administrators only. While not a complete solution, this can limit the immediate risk. Review WordPress user roles and permissions to ensure they are appropriately configured. Implement a Web Application Firewall (WAF) with rules to block suspicious registration attempts, particularly those attempting to assign the 'administrator' role. Monitor WordPress access logs for unusual activity, specifically failed registration attempts and changes to user roles.
Update to version 1.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13540 is a critical vulnerability in the Tiare Membership WordPress plugin allowing unauthenticated attackers to gain administrator access by exploiting a flaw in user registration.
If you are using Tiare Membership plugin versions 1.0.0 through 1.2, you are vulnerable. Upgrade to version 1.3 or later to mitigate the risk.
The recommended fix is to upgrade the Tiare Membership plugin to version 1.3 or later. If immediate upgrade is not possible, restrict user registration to trusted administrators.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor your systems closely.
Refer to the official Tiare Membership plugin documentation and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.