CVE-2025-13619
📋 TL;DR
The Flex Store Users WordPress plugin allows unauthenticated attackers to register accounts with administrator privileges due to improper role validation. This affects all WordPress sites using Flex Store Users plugin versions 1.1.0 and earlier. Attackers can gain full administrative control of vulnerable WordPress installations.
💻 Affected Systems
- Flex Store Users WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with attacker gaining administrator access, allowing them to install backdoors, modify content, steal data, or use the site for further attacks.
Likely Case
Attackers create administrator accounts to deface websites, inject malicious code, or establish persistent access for future exploitation.
If Mitigated
With proper monitoring and detection, unauthorized administrator account creation can be detected and blocked before significant damage occurs.
🎯 Exploit Status
Simple HTTP POST request with administrator role parameter during registration. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.1.0
Vendor Advisory: https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930
Restart Required: No
Instructions:
1. Update Flex Store Users plugin to latest version. 2. Verify plugin is updated to version after 1.1.0. 3. Test registration functionality to ensure role validation is working.
🔧 Temporary Workarounds
Disable User Registration
allTemporarily disable new user registration in WordPress settings
WordPress Admin → Settings → General → Membership → Uncheck 'Anyone can register'
Deactivate Vulnerable Plugin
allDisable Flex Store Users plugin until patched
WordPress Admin → Plugins → Find 'Flex Store Users' → Deactivate
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block registration requests containing 'administrator' role parameter
- Enable detailed logging of user registration events and monitor for suspicious administrator account creation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Flex Store Users → Version number. If version is 1.1.0 or earlier, you are vulnerable.Check Version:
wp plugin list --name='Flex Store Users' --field=versionVerify Fix Applied:
After updating, attempt to register a new user with 'administrator' role parameter. Registration should fail or create a non-privileged account.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator account creation from unknown IPs
- Registration attempts with role=administrator parameter
- Multiple failed registration attempts followed by successful admin creation
Network Indicators:
- HTTP POST requests to registration endpoints with administrator role parameters
- Unusual traffic patterns to user registration pages
SIEM Query:
source="wordpress.log" AND ("role=administrator" OR "fs_type=administrator") AND "registration"