{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13538", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-22T04:52:29.052Z", "datePublished": "2025-11-27T04:36:42.999Z", "dateUpdated": "2026-04-08T16:36:49.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:49.908Z"}, "affected": [{"vendor": "Elated Themes", "product": "FindAll Listing", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin."}], "title": "FindAll Listing <= 1.0.5 - Unauthenticated Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve"}, {"url": "https://themeforest.net/item/findall-business-directory-theme/24415962"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ismail Syaleh"}], "timeline": [{"time": "2025-11-26T16:08:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-28T14:42:08.918872Z", "id": "CVE-2025-13538", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T19:33:26.079Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13538", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-28T14:42:08.918872Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-28T14:42:09.888Z"}}], "cna": {"title": "FindAll Listing <= 1.0.5 - Unauthenticated Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Ismail Syaleh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Elated Themes", "product": "FindAll Listing", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-26T16:08:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve"}, {"url": "https://themeforest.net/item/findall-business-directory-theme/24415962"}], "descriptions": [{"lang": "en", "value": "The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:49.908Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13538", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:49.908Z", "dateReserved": "2025-11-22T04:52:29.052Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-27T04:36:42.999Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin."}], "id": "CVE-2025-13538", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-27T05:16:12.453", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/findall-business-directory-theme/24415962"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14981949-271c-4f98-a6a1-b00619f1436d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:31:10.738350+00:00", "value": {"mitigation_remediation": ["Upgrade FindAll Listing to a version newer than 1.0.5, which removes the unrestricted role parameter in the registration process.", "Verify that the FindAll Membership plugin is also updated to a release that limits role assignments or disable the registration component if an update is not available.", "If updating is not immediately possible, block or remove the findall_listing_user_registration_additional_params endpoint by adjusting the plugin's hooks or using a security plugin to restrict registration to approved roles."], "summary": {"action": "Patch ASAP", "impact": "Privilege Escalation (Unauthenticated)"}, "threat_synthesis": {"affected_systems": "Elated Themes' FindAll Listing plugin versions 1.0.5 and earlier are affected. The attack requires that the complementary FindAll Membership plugin be installed and activated, which is common in WordPress setups that use the FindAll business directory solution.\n", "description_and_impact": "The FindAll Listing WordPress plugin contains a flaw that allows any remote user to register a new account with elevated privileges. The vulnerability exists because the findall_listing_user_registration_additional_params function accepts a role value without validating it against the list of allowed roles. If an attacker crafts a registration request carrying the role value 'administrator', the system will create an administrator account, giving the attacker full control over the site. This flaw delivers uncontestable administrator access and is active only when the FindAll Membership plugin is enabled, since registration handling occurs in that plugin.\n", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, reflecting its critical severity and the breadth of impact. The EPSS score of less than 1% indicates that, as of the last update, the probability of exploitation is very low, and the vulnerability is not listed in CISA's KEV catalog. However, because an unauthenticated user can directly register an administrator account, the attack vector is straightforward and requires no pre\u2011existing account or complex interaction. Exploitation is contingent on the Membership plugin being turned on, but the simplicity of the registration payload and the high value of the target role make the process highly viable for motivated adversaries.\n"}}}}, "created": "2025-11-27T16:25:58.836493+00:00", "updated": "2026-04-22T16:45:21.449989+00:00", "vendors": ["elated_themes", "elated_themes$PRODUCT$findall_listing", "wordpress", "wordpress$PRODUCT$wordpress"]}