{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13091", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T20:33:20.581Z", "datePublished": "2026-02-19T04:36:18.231Z", "dateUpdated": "2026-04-08T17:05:03.782Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:03.782Z"}, "affected": [{"vendor": "wpfable", "product": "Shopire", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.57", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin."}], "title": "Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/873b54ba-d29f-4e09-9dc1-a38c10ebfcb1?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/getting-started.php"}, {"url": "https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/getting-started.php"}, {"url": "https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/assets/js/shopire-admin-script.js"}, {"url": "https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/assets/js/shopire-admin-script.js"}, {"url": "https://themes.trac.wordpress.org/changeset/304732/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-15 External Control of System or Configuration Setting", "cweId": "CWE-15", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ky0toFu"}], "timeline": [{"time": "2026-02-18T15:29:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T21:09:56.442246Z", "id": "CVE-2025-13091", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:10:09.099Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13091", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T21:09:56.442246Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T21:10:04.856Z"}}], "cna": {"title": "Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install", "credits": [{"lang": "en", "type": "finder", "value": "Ky0toFu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpfable", "product": "Shopire", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.57"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-18T15:29:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/873b54ba-d29f-4e09-9dc1-a38c10ebfcb1?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/getting-started.php"}, {"url": "https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/getting-started.php"}, {"url": "https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/assets/js/shopire-admin-script.js"}, {"url": "https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/assets/js/shopire-admin-script.js"}, {"url": "https://themes.trac.wordpress.org/changeset/304732/"}], "descriptions": [{"lang": "en", "value": "The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-15", "description": "CWE-15 External Control of System or Configuration Setting"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-19T04:36:18.231Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13091", "state": "PUBLISHED", "dateUpdated": "2026-02-19T21:10:09.099Z", "dateReserved": "2025-11-12T20:33:20.581Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-19T04:36:18.231Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin."}, {"lang": "es", "value": "El tema Shopire para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n shopire_admin_install_plugin() en todas las versiones hasta la 1.0.57, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, instalen el plugin 'fable-extra'."}], "id": "CVE-2025-13091", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-19T07:17:30.153", "references": [{"source": "security@wordfence.com", "url": "https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/assets/js/shopire-admin-script.js"}, {"source": "security@wordfence.com", "url": "https://themes.svn.wordpress.org/shopire/1.0.50/inc/admin/getting-started.php"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/assets/js/shopire-admin-script.js"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/shopire/1.0.50/inc/admin/getting-started.php"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset/304732/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/873b54ba-d29f-4e09-9dc1-a38c10ebfcb1?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-15"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.57]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Shopire", "source": "cna", "vendor": "wpfable"}, "product": "shopire", "vendor": "wpfable"}], "analysis": {"en": {"generated_at": "2026-04-21T15:52:31.930925+00:00", "value": {"mitigation_remediation": ["Upgrade the Shopire theme to the latest version that includes the missing capability check (if available).", "Use a role editor plugin or custom code to remove the plugin\u2011installation capability from Subscriber and lower roles, restricting it to administrators only.", "Delete any fable\u2011extra or other malicious plugins that may have been installed using this vulnerability.", "Perform a security audit of the WordPress site to locate and remove any additional unauthorized files or plugins, and verify that the environment is clean."], "summary": {"action": "Patch", "impact": "Unauthorized plugin installation by authenticated users"}, "threat_synthesis": {"affected_systems": "All installations of the Shopire theme for WordPress with versions up to and including 1.0.57 are affected. The flaw exists in the admin interface where plugin installation is handled, impacting any site running a vulnerable version of this theme.", "description_and_impact": "The Shopire WordPress theme contains a missing capability check in the shopire_admin_install_plugin() function. This flaw allows any authenticated user with Subscriber-level access or higher to install the fable-extra plugin, potentially leading to the execution of malicious code and compromising the site's confidentiality, integrity, or availability. The issue is categorized as CWE-15 \u2013 External Control of Input. ", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to log in with at least Subscriber privileges and then access the plugin installation function via the theme's administrative interface to exploit the flaw."}}}}, "created": "2026-02-19T10:07:04.256531+00:00", "updated": "2026-04-21T16:00:13.272120+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpfable", "wpfable$PRODUCT$shopire"]}