Platform
wordpress
Component
edukart-pro
Fixed in
1.0.4
CVE-2025-13559 represents a critical Privilege Escalation vulnerability within the EduKart Pro plugin for WordPress. An unauthenticated attacker can exploit this flaw to gain administrator access, effectively compromising the entire WordPress site. This vulnerability affects versions 1.0.0 through 1.0.3. A patch is expected to be released by the vendor.
The impact of CVE-2025-13559 is severe. Successful exploitation allows an attacker to bypass authentication and directly register as an administrator. This grants them complete control over the WordPress site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it a high-priority concern. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper role assignment during user registration is exploited.
CVE-2025-13559 was publicly disclosed on 2025-11-25. Currently, there are no known public proof-of-concept exploits available, but the ease of exploitation suggests that it is likely to be targeted. The vulnerability's severity and the widespread use of WordPress make it a high-priority target for malicious actors. Its inclusion in the KEV catalog is pending, but its criticality warrants close monitoring.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13559 is to upgrade to a patched version of the EduKart Pro plugin as soon as it becomes available. Until a patch is released, consider temporarily disabling the EduKart Pro plugin to prevent potential exploitation. As a temporary workaround, implement a WordPress plugin that restricts user roles during registration, preventing the assignment of the 'administrator' role to unauthenticated users. Monitor WordPress access logs for suspicious registration attempts, particularly those attempting to assign the administrator role. After upgrade, confirm the vulnerability is resolved by attempting a user registration with the 'administrator' role and verifying that it is rejected.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13559 is a critical vulnerability allowing unauthenticated attackers to gain administrator access to WordPress sites using the EduKart Pro plugin by exploiting a flaw in user registration.
If you are using EduKart Pro versions 1.0.0 through 1.0.3 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade to a patched version of the EduKart Pro plugin as soon as it becomes available. Until then, disable the plugin or implement a workaround to restrict user roles during registration.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted by malicious actors.
Refer to the EduKart Pro plugin's official website or WordPress plugin repository for updates and advisories regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.