Platform
wordpress
Component
flex-store-user
Fixed in
1.1.1
CVE-2025-13619 represents a critical Privilege Escalation vulnerability discovered in the Flex Store Users plugin for WordPress. This flaw allows unauthenticated attackers to bypass role restrictions during user registration, potentially granting them administrator privileges. The vulnerability impacts versions 0.0.0 through 1.1.0, and a fix is expected to be released by the vendor.
The impact of CVE-2025-13619 is severe. An attacker exploiting this vulnerability can gain complete control over a WordPress site, including access to sensitive data, modification of content, installation of malicious plugins, and even complete site takeover. The ability to register as an administrator without authentication bypasses standard security controls, making this a high-priority risk. The vulnerability is exacerbated if the Flex Store Seller plugin is also active, as it leverages the 'fs_type' parameter for exploitation. This could lead to widespread compromise of WordPress sites utilizing these plugins.
CVE-2025-13619 was publicly disclosed on 2025-12-20. While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation and critical severity make it a likely target. The absence of a public proof-of-concept (POC) does not diminish the risk, as attackers can readily develop their own exploits. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13619 is to immediately upgrade the Flex Store Users plugin to a patched version as soon as it becomes available. If upgrading is not immediately feasible, consider temporarily disabling the plugin to prevent new user registrations. As a short-term workaround, restrict user role assignment during registration through custom code or a security plugin, although this is not a complete solution. Monitor WordPress access logs for suspicious user registration attempts, particularly those involving the 'administrator' role.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13619 is a critical vulnerability in the Flex Store Users WordPress plugin allowing unauthenticated attackers to gain administrator access by exploiting flawed role assignment during user registration.
If you are using the Flex Store Users plugin for WordPress in versions 0.0.0 through 1.1.0, you are potentially affected by this vulnerability. Check your plugin versions immediately.
The recommended fix is to upgrade the Flex Store Users plugin to a patched version as soon as it becomes available. Temporarily disabling the plugin is a short-term workaround.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a likely target for attackers.
Refer to the official Flex Store Users plugin website or WordPress plugin repository for updates and advisories regarding CVE-2025-13619.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.