Plataforma
wordpress
Componente
tiger
Corrigido em
101.2.2
CVE-2025-13675 describes a critical Privilege Escalation vulnerability discovered in the Tiger WordPress theme. This flaw allows unauthenticated attackers to elevate their privileges to administrator level, potentially compromising the entire WordPress site. The vulnerability affects all versions up to and including 101.2.1. A fix is available in subsequent versions of the theme.
The impact of this vulnerability is severe. An attacker exploiting CVE-2025-13675 can gain full administrative control over the affected WordPress site. This includes the ability to modify content, install malicious plugins, create new user accounts with elevated privileges, and potentially access sensitive data stored within the WordPress database. The attacker could also use the compromised site to launch further attacks against other systems on the network, significantly expanding the blast radius. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for automated exploitation targeting vulnerable Tiger theme installations.
CVE-2025-13675 was publicly disclosed on 2025-11-27. The vulnerability's simplicity and the widespread use of the Tiger theme suggest a high probability of exploitation. While no public proof-of-concept (PoC) code has been released at the time of writing, the ease of exploitation makes it likely that PoCs will emerge. It is recommended to prioritize patching this vulnerability to prevent potential compromise.
Websites using the Tiger WordPress theme, particularly those with default configurations or limited security hardening, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'paypal-submit.php' /var/www/html/• wordpress / composer / npm:
wp plugin list | grep tiger• wordpress / composer / npm:
wp plugin update tiger --all• generic web:
Check WordPress access logs for suspicious POST requests to /wp-login.php with parameters attempting to set the user role to 'administrator'.
disclosure
Status do Exploit
EPSS
0.15% (percentil 35%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-13675 is to upgrade the Tiger WordPress theme to a version that includes the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting user registration to known, trusted email domains. While not a complete solution, this can reduce the attack surface. Monitor WordPress access logs for suspicious registration attempts, particularly those using unusual email addresses or attempting to assign the 'administrator' role. Web Application Firewalls (WAFs) configured to block requests containing suspicious parameters related to user registration could also provide a layer of defense.
Nenhum patch conhecido disponível. Por favor, revise os detalhes da vulnerabilidade em profundidade e empregue mitigações com base na tolerância ao risco da sua organização. Pode ser melhor desinstalar o software afetado e encontrar um substituto.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-13675 is a CRITICAL vulnerability allowing unauthenticated attackers to gain administrator access to WordPress sites using the Tiger theme due to improper role restrictions during user registration.
If you are using the Tiger WordPress theme and your version is 0.0.0–101.2.1, you are likely affected by this vulnerability. Check your theme version immediately.
Upgrade the Tiger WordPress theme to a version that includes the security fix. Check the theme developer's website for the latest version.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation. It's crucial to patch promptly.
Refer to the official Tiger WordPress theme developer's website or the WordPress plugin repository for the latest advisory and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.