{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13542", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-22T13:49:34.767Z", "datePublished": "2025-12-02T19:27:16.108Z", "dateUpdated": "2026-04-08T17:21:35.464Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:35.464Z"}, "affected": [{"vendor": "DesignThemes", "product": "DesignThemes LMS", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site."}], "title": "DesignThemes LMS <= 1.0.4 - Unauthenticated Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve"}, {"url": "https://themeforest.net/item/egrad-education-wordpress-theme/42803015"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ismail Syaleh"}], "timeline": [{"time": "2025-12-02T07:26:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-02T19:36:37.176375Z", "id": "CVE-2025-13542", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T19:36:45.547Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13542", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-02T19:36:37.176375Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T19:36:41.428Z"}}], "cna": {"title": "DesignThemes LMS <= 1.0.4 - Unauthenticated Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Ismail Syaleh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "DesignThemes", "product": "DesignThemes LMS", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-02T07:26:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve"}, {"url": "https://themeforest.net/item/egrad-education-wordpress-theme/42803015"}], "descriptions": [{"lang": "en", "value": "The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-02T19:27:16.108Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13542", "state": "PUBLISHED", "dateUpdated": "2025-12-02T19:36:45.547Z", "dateReserved": "2025-11-22T13:49:34.767Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-02T19:27:16.108Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site."}], "id": "CVE-2025-13542", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-02T20:15:49.670", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/egrad-education-wordpress-theme/42803015"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c880470f-3f81-47a2-b450-7074410e9f43?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:11:46.224697+00:00", "value": {"mitigation_remediation": ["Update DesignThemes LMS to a version newer than 1.0.4 which removes the unrestricted role assignment during registration.", "If an update cannot be applied immediately, configure WordPress to enforce role restrictions on registration by adding a role whitelist or disabling public user registration in the plugin settings.", "As a temporary measure, block or limit the 'dtlms_register_user_front_end' endpoint using a web\u2011application firewall or by adding a nonce requirement to the form submission process to prevent unauthenticated role injections."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Privilege Escalation"}, "threat_synthesis": {"affected_systems": "DesignThemes LMS plugin version 1.0.4 and all earlier releases on WordPress sites such as the eGrad Education theme from ThemeForest are affected.", "description_and_impact": "The DesignThemes LMS plugin for WordPress allows any visitor to register a new account using the 'dtlms_register_user_front_end' function. Because this function does not limit the role that can be assigned at registration, an attacker can submit a request with the role value set to 'administrator' and receive an administrator account. Obtaining direct administrator access enables modification of site settings, content, and user data with full control.", "risk_and_exploitability": "The vulnerability carries a CVSS base score of 9.8, indicating critical severity, but the EPSS score of less than 1% suggests that exploitation likelihood is currently low. The absence of this issue from the CISA KEV catalog means no known public exploits are documented. Attackers would need only an unauthenticated web request to the registration endpoint, making the entry point trivial and universally reachable."}}}}, "created": "2025-12-04T16:44:41.339782+00:00", "updated": "2026-04-21T01:15:20.135158+00:00", "vendors": ["designthemes", "designthemes$PRODUCT$designthemes_lms", "wordpress", "wordpress$PRODUCT$wordpress"]}