Platform
wordpress
Component
designthemes-lms
Fixed in
1.0.5
CVE-2025-13542 describes a critical Privilege Escalation vulnerability within the DesignThemes LMS plugin for WordPress. This flaw allows unauthenticated attackers to bypass role restrictions during user registration, potentially granting them administrator privileges. The vulnerability impacts versions 1.0.0 through 1.0.4 of the plugin. A patch, version 1.0.5, has been released to address this issue.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-13542 can gain complete control over a WordPress site running the vulnerable DesignThemes LMS plugin. This includes the ability to modify content, install malicious plugins, steal sensitive data (user credentials, financial information), and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper role assignment during registration is exploited.
CVE-2025-13542 was publicly disclosed on December 2, 2025. The vulnerability's ease of exploitation and the potential for widespread impact suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept code is anticipated given the vulnerability's nature and the availability of the plugin. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting DesignThemes LMS.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13542 is to immediately upgrade the DesignThemes LMS plugin to version 1.0.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While a direct WAF rule to prevent administrator role assignment during registration is complex, restricting the allowed roles in the WordPress user registration settings (if possible) can offer limited protection. Regularly review user accounts for suspicious activity and disable any newly created administrator accounts that are not recognized. After upgrading, verify the fix by attempting to register a new user with the 'administrator' role; the registration should fail.
Update to version 1.0.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13542 is a critical vulnerability allowing unauthenticated attackers to gain administrator access to WordPress sites using the DesignThemes LMS plugin by exploiting a flaw in user registration.
If you are using DesignThemes LMS versions 1.0.0 through 1.0.4 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the DesignThemes LMS plugin to version 1.0.5 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a medium probability of exploitation and active monitoring is recommended.
Refer to the DesignThemes LMS website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.