101.2.2
CVE-2025-13675 describes a critical Privilege Escalation vulnerability discovered in the Tiger WordPress theme. This flaw allows unauthenticated attackers to elevate their privileges to administrator level, potentially compromising the entire WordPress site. The vulnerability affects all versions up to and including 101.2.1. A fix is available in subsequent versions of the theme.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-13675 can gain full administrative control over the affected WordPress site. This includes the ability to modify content, install malicious plugins, create new user accounts with elevated privileges, and potentially access sensitive data stored within the WordPress database. The attacker could also use the compromised site to launch further attacks against other systems on the network, significantly expanding the blast radius. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for automated exploitation targeting vulnerable Tiger theme installations.
CVE-2025-13675 was publicly disclosed on 2025-11-27. The vulnerability's simplicity and the widespread use of the Tiger theme suggest a high probability of exploitation. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation makes it likely that PoCs will emerge. It is recommended to prioritize patching this vulnerability to prevent potential compromise.
Websites using the Tiger WordPress theme, particularly those with default configurations or limited security hardening, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'paypal-submit.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep tiger• wordpress / composer / npm:
wp plugin update tiger --all• generic web:
Check WordPress access logs for suspicious POST requests to /wp-login.php with parameters attempting to set the user role to 'administrator'.
disclosure
エクスプロイト状況
EPSS
0.15% (35% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-13675 is to upgrade the Tiger WordPress theme to a version that includes the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting user registration to known, trusted email domains. While not a complete solution, this can reduce the attack surface. Monitor WordPress access logs for suspicious registration attempts, particularly those using unusual email addresses or attempting to assign the 'administrator' role. Web Application Firewalls (WAFs) configured to block requests containing suspicious parameters related to user registration could also provide a layer of defense.
既知の修正プログラムはありません。脆弱性の詳細を詳細に確認し、組織のリスク許容度に基づいて軽減策を講じてください。影響を受けるソフトウェアをアンインストールし、代替手段を見つけるのが最善かもしれません。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-13675 is a CRITICAL vulnerability allowing unauthenticated attackers to gain administrator access to WordPress sites using the Tiger theme due to improper role restrictions during user registration.
If you are using the Tiger WordPress theme and your version is 0.0.0–101.2.1, you are likely affected by this vulnerability. Check your theme version immediately.
Upgrade the Tiger WordPress theme to a version that includes the security fix. Check the theme developer's website for the latest version.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation. It's crucial to patch promptly.
Refer to the official Tiger WordPress theme developer's website or the WordPress plugin repository for the latest advisory and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。