無料スキャン
CRITICALCVE-2025-13559CVSS 9.8

EduKart Pro <= 1.0.3 - 認証されていない権限昇格

プラットフォーム

wordpress

コンポーネント

edukart-pro

修正版

1.0.4

AI Confidence: highNVDEPSS 0.1%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2025-13559 represents a critical Privilege Escalation vulnerability within the EduKart Pro plugin for WordPress. An unauthenticated attacker can exploit this flaw to gain administrator access, effectively compromising the entire WordPress site. This vulnerability affects versions 1.0.0 through 1.0.3. A patch is expected to be released by the vendor.

WordPress

このCVEがあなたのプロジェクトに影響するか確認

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャン

影響と攻撃シナリオ翻訳中…

The impact of CVE-2025-13559 is severe. Successful exploitation allows an attacker to bypass authentication and directly register as an administrator. This grants them complete control over the WordPress site, including the ability to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially pivot to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it a high-priority concern. This vulnerability shares similarities with other WordPress privilege escalation flaws where improper role assignment during user registration is exploited.

悪用の状況翻訳中…

CVE-2025-13559 was publicly disclosed on 2025-11-25. Currently, there are no known public proof-of-concept exploits available, but the ease of exploitation suggests that it is likely to be targeted. The vulnerability's severity and the widespread use of WordPress make it a high-priority target for malicious actors. Its inclusion in the KEV catalog is pending, but its criticality warrants close monitoring.

リスク対象者翻訳中…

WordPress sites utilizing the EduKart Pro plugin, particularly those with limited security hardening or those running older, unpatched versions, are at significant risk. Shared hosting environments where multiple websites share the same server infrastructure are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.

検出手順翻訳中…

• wordpress / plugin: Use wp-cli plugin list to identify installations of EduKart Pro. Check plugin files (e.g., edukartproregisteruserfront_end.php) for the vulnerable code. • generic web: Monitor WordPress access logs for POST requests to the registration endpoint with parameters attempting to set the user role to 'administrator'. • wordpress / composer: Run composer audit within the EduKart Pro plugin directory to check for known vulnerabilities. • wordpress / plugin: Use a WordPress security plugin to scan for privilege escalation vulnerabilities and monitor for suspicious user registration attempts.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.15% (35% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能yes
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントedukart-pro
ベンダーwordfence
影響範囲修正版
0 – 1.0.31.0.4

弱点分類 (CWE)

CWE-269

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日
未パッチ — 公開から180日経過

緩和策と回避策翻訳中…

The primary mitigation for CVE-2025-13559 is to upgrade to a patched version of the EduKart Pro plugin as soon as it becomes available. Until a patch is released, consider temporarily disabling the EduKart Pro plugin to prevent potential exploitation. As a temporary workaround, implement a WordPress plugin that restricts user roles during registration, preventing the assignment of the 'administrator' role to unauthenticated users. Monitor WordPress access logs for suspicious registration attempts, particularly those attempting to assign the administrator role. After upgrade, confirm the vulnerability is resolved by attempting a user registration with the 'administrator' role and verifying that it is rejected.

修正方法

既知の修正パッチはありません。脆弱性の詳細を詳細に確認し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2025-13559 — Privilege Escalation in EduKart Pro?

CVE-2025-13559 is a critical vulnerability allowing unauthenticated attackers to gain administrator access to WordPress sites using the EduKart Pro plugin by exploiting a flaw in user registration.

Am I affected by CVE-2025-13559 in EduKart Pro?

If you are using EduKart Pro versions 1.0.0 through 1.0.3 on your WordPress site, you are potentially affected by this vulnerability.

How do I fix CVE-2025-13559 in EduKart Pro?

Upgrade to a patched version of the EduKart Pro plugin as soon as it becomes available. Until then, disable the plugin or implement a workaround to restrict user roles during registration.

Is CVE-2025-13559 being actively exploited?

While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted by malicious actors.

Where can I find the official EduKart Pro advisory for CVE-2025-13559?

Refer to the EduKart Pro plugin's official website or WordPress plugin repository for updates and advisories regarding this vulnerability.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索