Platform
wordpress
Component
tiger
Fixed in
101.2.2
CVE-2025-13675 describes a critical Privilege Escalation vulnerability discovered in the Tiger WordPress theme. This flaw allows unauthenticated attackers to elevate their privileges to administrator level, potentially compromising the entire WordPress site. The vulnerability affects all versions up to and including 101.2.1. A fix is available in subsequent versions of the theme.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-13675 can gain full administrative control over the affected WordPress site. This includes the ability to modify content, install malicious plugins, create new user accounts with elevated privileges, and potentially access sensitive data stored within the WordPress database. The attacker could also use the compromised site to launch further attacks against other systems on the network, significantly expanding the blast radius. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for automated exploitation targeting vulnerable Tiger theme installations.
CVE-2025-13675 was publicly disclosed on 2025-11-27. The vulnerability's simplicity and the widespread use of the Tiger theme suggest a high probability of exploitation. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation makes it likely that PoCs will emerge. It is recommended to prioritize patching this vulnerability to prevent potential compromise.
Exploit Status
EPSS
0.15% (35% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13675 is to upgrade the Tiger WordPress theme to a version that includes the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting user registration to known, trusted email domains. While not a complete solution, this can reduce the attack surface. Monitor WordPress access logs for suspicious registration attempts, particularly those using unusual email addresses or attempting to assign the 'administrator' role. Web Application Firewalls (WAFs) configured to block requests containing suspicious parameters related to user registration could also provide a layer of defense.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13675 is a CRITICAL vulnerability allowing unauthenticated attackers to gain administrator access to WordPress sites using the Tiger theme due to improper role restrictions during user registration.
If you are using the Tiger WordPress theme and your version is 0.0.0–101.2.1, you are likely affected by this vulnerability. Check your theme version immediately.
Upgrade the Tiger WordPress theme to a version that includes the security fix. Check the theme developer's website for the latest version.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation. It's crucial to patch promptly.
Refer to the official Tiger WordPress theme developer's website or the WordPress plugin repository for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.