Skip to content
CVSS 9.8 · CRITICAL

CVE-2025-13618

The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

Ver en NVD

Análisis

The Mentoring plugin for WordPress allows unauthenticated attackers to register as administrators. While the impact is critical, this is a niche plugin with a limited user base and does not impact core WordPress or widely used development infrastructure.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-269

EPSS

Probabilidad de explotación (próx. 30 días): 0.0007 (0.1%)
Percentil: 21.1%
EPSS: 2026-05-06

Descripción técnica

The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

Publicada: 5/5/2026, 3:15:58
Última modificación: 5/5/2026, 19:09:32

Referencias

InicioEventosBlogRecursosEquipo