Skip to content
CVSS 9.8 · CRITICAL

CVE-2025-13618

The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

View on NVD

Analysis

The Mentoring plugin for WordPress allows unauthenticated attackers to register as administrators. While the impact is critical, this is a niche plugin with a limited user base and does not impact core WordPress or widely used development infrastructure.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-269

EPSS

Probability of exploitation (next 30 days): 0.0007 (0.1%)
Percentile: 21.1%
EPSS: 2026-05-06

Technical description

The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

Published: 5/5/2026, 3:15:58 AM
Last modified: 5/5/2026, 7:09:32 PM

References

HomeEventsBlogResourcesTeam