CVE-2025-13618: WordPress Mentoring Plugin Vulnerability

CVE-2025-13618 Overview

CVE-2025-13618 is a privilege escalation vulnerability in the Mentoring plugin for WordPress affecting all versions up to and including 1.2.8. The flaw exists in the mentoring_process_registration() function, which fails to restrict the roles users can select during registration. Unauthenticated attackers can submit crafted registration requests and create accounts with administrator-level privileges. Successful exploitation grants full control over the WordPress site, including content modification, plugin installation, and access to sensitive data. The vulnerability is classified under [CWE-269: Improper Privilege Management].

Critical Impact

Unauthenticated remote attackers can register administrator accounts on vulnerable WordPress sites, leading to complete site compromise.

Affected Products

• Mentoring plugin for WordPress, all versions through 1.2.8
• WordPress sites using the Mentoring education theme registration workflow
• Sites distributing the plugin via the ThemeForest Mentoring Education theme bundle

Discovery Timeline

• 2026-05-05 - CVE-2025-13618 published to NVD
• 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2025-13618

Vulnerability Analysis

The Mentoring plugin exposes a public registration handler named mentoring_process_registration(). This function processes user-submitted registration data and creates a new WordPress account. The handler accepts a role parameter from the client request without validating it against an allowlist of permitted roles. An attacker can supply administrator as the role value, and the plugin will assign that role to the newly created account.

Because the endpoint is reachable without authentication, exploitation requires no prior credentials, no user interaction, and no special privileges. The attack is performed over the network against the WordPress front-end registration flow.

Root Cause

The root cause is missing role validation inside mentoring_process_registration(). The function trusts client-supplied input when invoking the WordPress user creation routine. A correct implementation would either hardcode the registered role to a low-privilege value such as subscriber or validate the requested role against a server-side allowlist that excludes privileged roles like administrator and editor.

Attack Vector

The attack vector is network-based and unauthenticated. An attacker sends an HTTP POST request to the plugin's registration endpoint with parameters that include a privileged role value. The server processes the request, creates the user, and assigns the requested role. The attacker then logs in to the WordPress administration panel using the newly created credentials and operates as a full administrator. From that position the attacker can install malicious plugins, modify themes to deploy webshells, exfiltrate database contents, and pivot into hosting infrastructure.

No verified proof-of-concept code is published in the referenced advisories. See the Wordfence Vulnerability Record for additional technical detail.

Detection Methods for CVE-2025-13618

Indicators of Compromise

• New WordPress user accounts with the administrator role created through the public registration flow rather than via existing administrator action.
• HTTP POST requests to admin-ajax.php or front-end registration endpoints containing a role parameter set to administrator, editor, or other privileged values.
• Unexpected plugin or theme installations, modified wp-config.php, or new PHP files in wp-content/uploads/ shortly after a registration event.

Detection Strategies

• Audit the wp_users and wp_usermeta tables for accounts created during the affected version window and cross-reference with wp_capabilities entries containing administrator.
• Inspect web server access logs for POST requests targeting the Mentoring plugin's registration handler, particularly requests submitting a role field.
• Correlate new account creation events with subsequent administrative actions such as plugin uploads or option changes via WordPress audit logs.

Monitoring Recommendations

• Enable WordPress security logging plugins to record user creation, role changes, and authentication events.
• Forward web server and WordPress audit logs to a centralized SIEM and alert on creation of privileged accounts outside change windows.
• Monitor file integrity in wp-content/plugins/ and wp-content/themes/ for unexpected modifications following account creation.

How to Mitigate CVE-2025-13618

Immediate Actions Required

• Disable or remove the Mentoring plugin until a patched version is confirmed installed.
• Audit all WordPress accounts and remove any administrator-level users created without authorization.
• Rotate credentials for legitimate administrators and reset secret keys in wp-config.php to invalidate existing sessions.
• Review installed plugins, themes, and uploaded files for backdoors introduced via abused administrator access.

Patch Information

No fixed version is identified in the published NVD record at the time of writing. Versions through 1.2.8 are vulnerable. Consult the Mentoring WP Changelog and the vendor ThemeForest listing for an updated release that hardens mentoring_process_registration().

Workarounds

• Disable open user registration in WordPress general settings if the Mentoring registration form is not required.
• Deploy a web application firewall rule that blocks POST requests to the plugin's registration endpoint containing a role parameter with privileged values.
• Restrict access to the registration page using server-level access controls until the plugin is updated.

# Example WAF rule (ModSecurity) blocking privileged role assignment
SecRule REQUEST_METHOD "@streq POST" \
  "chain,phase:2,deny,status:403,id:1013618,\
   msg:'Block CVE-2025-13618 privileged role registration'"
  SecRule ARGS:role "@rx ^(administrator|editor|author)$" \
    "t:lowercase"