{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13619", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-24T20:08:48.578Z", "datePublished": "2025-12-20T06:22:02.869Z", "dateUpdated": "2026-04-08T17:12:47.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:47.007Z"}, "affected": [{"vendor": "CMSSuperHeroes", "product": "Flex Store Users", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated."}], "title": "Flex Store Users <= 1.1.0 - Unauthenticated Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve"}, {"url": "https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ismail Syaleh"}], "timeline": [{"time": "2025-12-19T18:05:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-22T20:27:41.955505Z", "id": "CVE-2025-13619", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:28:09.218Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13619", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-22T20:27:41.955505Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-22T20:28:05.313Z"}}], "cna": {"title": "Flex Store Users <= 1.1.0 - Unauthenticated Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Ismail Syaleh"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "CMSSuperHeroes", "product": "Flex Store Users", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-19T18:05:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve"}, {"url": "https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930"}], "descriptions": [{"lang": "en", "value": "The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:12:47.007Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13619", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:12:47.007Z", "dateReserved": "2025-11-24T20:08:48.578Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-20T06:22:02.869Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated."}], "id": "CVE-2025-13619", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-20T07:15:44.197", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:40:14.099192+00:00", "value": {"mitigation_remediation": ["Upgrade Flex Store Users plugin to the latest version that contains the role restriction fix", "If an upgrade is not immediately possible, remove the Flex Store Users plugin from the site or disable it to block unauthorized role creation", "Restrict the creation of new user accounts to local administrators through the WordPress user role settings or a security plugin"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "This flaw affects the CMSSuperHeroes Flex Store Users WordPress plugin versions 1.1.0 and earlier. The vulnerability is present in all releases up to and including 1.1.0; it is resolved in newer versions released after that point.", "description_and_impact": "The Flex Store Users plugin allows any visitor to register a new user account. The signup and seller\u2011role functions do not enforce role restrictions, so an attacker can choose the administrator role at registration time. This flaw enables an unauthenticated user to create an account with full administrator privileges, compromising the entire WordPress site. The vulnerability is mitigated only by the presence of additional access checks in future plugin releases.", "risk_and_exploitability": "The CVSS score of 9.8 signals a critical severity. Although the EPSS score is below 1%, indicating low current exploitation probability, the flaw can be acted upon remotely without any authentication. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the issue by accessing the registration endpoint, optionally providing the fs_type parameter if the Flex Store Seller plugin is active, and specifying the administrator role. Once exploited, the attacker gains full control of the WordPress installation."}}}}, "created": "2025-12-21T21:12:26.396120+00:00", "updated": "2026-04-21T00:45:23.095645+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}