Plataforma
wordpress
Componente
tiger
Corregido en
101.2.2
CVE-2025-13680 describes a Privilege Escalation vulnerability discovered in the Tiger WordPress theme. This flaw allows authenticated attackers with Subscriber-level access or higher to escalate their privileges to administrator, granting them full control over the affected WordPress site. The vulnerability impacts versions from 0.0.0 up to and including 101.2.1. A patch is expected to be released by the theme developer.
Successful exploitation of CVE-2025-13680 grants an attacker complete administrative control over the WordPress website. This includes the ability to modify content, install malicious plugins, create new user accounts with elevated privileges, and potentially compromise the entire system. The attacker could exfiltrate sensitive data, deface the website, or use it as a launchpad for further attacks against other systems on the network. The ease of privilege escalation, requiring only Subscriber access, significantly broadens the potential attack surface.
This vulnerability is currently considered low probability due to the reliance on authenticated access. No public proof-of-concept (POC) code has been released as of the publication date. The vulnerability was disclosed on 2025-11-27. It is not currently listed on the CISA KEV catalog.
Websites using the Tiger WordPress theme, particularly those with a large number of Subscriber-level users or those with weak password policies, are at increased risk. Shared hosting environments where multiple websites share the same server resources are also vulnerable if one site is running an unpatched version of the theme.
• wordpress / composer / npm:
grep -r "$user->set_role()" /var/www/html/wp-content/themes/tiger/*• wordpress / composer / npm:
wp plugin list --status=active | grep tiger• wordpress / composer / npm:
wp theme list --status=active | grep tigerdisclosure
Estado del Exploit
EPSS
0.06% (18% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-13680 is to upgrade the Tiger WordPress theme to a patched version as soon as it becomes available. Until a patch is released, consider restricting user roles and permissions to minimize the potential impact of a successful attack. Implement a Web Application Firewall (WAF) with rules to detect and block attempts to manipulate user roles. Regularly review user accounts and permissions to identify any suspicious activity. Monitor WordPress logs for unusual role changes.
No se conoce ningún parche disponible. Por favor, revise los detalles de la vulnerabilidad en profundidad y emplee mitigaciones basadas en la tolerancia al riesgo de su organización. Puede ser mejor desinstalar el software afectado y buscar un reemplazo.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-13680 is a vulnerability allowing authenticated users to escalate privileges to administrator in the Tiger WordPress theme, potentially granting full control over the website.
You are affected if your WordPress site uses the Tiger theme and is running a version prior to the patch release. Check your theme version and upgrade as soon as a patch is available.
Upgrade the Tiger WordPress theme to the latest version as soon as a patch is released by the theme developer. Until then, restrict user roles and implement WAF rules.
As of the publication date, there is no confirmed active exploitation of CVE-2025-13680, but it's crucial to apply the patch promptly to prevent potential attacks.
Refer to the Tiger WordPress theme developer's website or WordPress.org plugin repository for the official advisory and patch release information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.