External risk intelligence

WordPress plugin allows attackers to gain admin control

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-13618

The Mentoring WordPress plugin has a critical flaw allowing anyone to become an administrator, potentially giving attackers full control of your website without needing an account. This issue warrants immediate attention.

5Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2025-13618

This vulnerability resides in a WordPress plugin's user registration function. WordPress sites utilizing such plugins are typically public-facing web applications, and registration forms are intentionally exposed to the internet to facilitate visitor account creation, making the vulnerable component directly reachable by any unauthenticated attacker.

Horizon Alert

Summary of the vulnerability and why it matters

The Mentoring plugin for WordPress has a critical flaw that allows anyone to gain administrator access to a website. This issue means an attacker could potentially take complete control of your WordPress site without needing an account.

Attackers can register as administrators.
Affects unauthenticated users.
Can lead to full site compromise.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability to gain administrator privileges on a vulnerable WordPress site. By manipulating the registration process in the Mentoring plugin, they can bypass role restrictions and create an account with full administrative access without any prior authentication. This allows them to immediately control the website and its content.

Attacker registers new account.
Exploits insecure role assignment.
Gains administrator access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to create administrator accounts on WordPress sites, posing a significant risk. The ease of exploitation, combined with the critical impact of full administrative control, makes it a prime target for automated attacks. While specific exploit activity is not yet widely observed, the potential for widespread compromise is high.

Unauthenticated remote code execution possible.
Critical privilege escalation.
Affects common web platform.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate investigation of WordPress sites using the Mentoring plugin, as unauthenticated attackers can gain administrator privileges. Given the critical severity and high likelihood of exploitation due to direct network attack vector and lack of authentication, take affected services offline or isolate them until remediation.

Block network access to the registration functionality.
Update the Mentoring plugin to version 1.2.9 or higher.
Monitor for unauthorized administrator account creation.

Frequently asked questions

What is the Mentoring plugin for WordPress?

The Mentoring plugin is an add-on for WordPress websites that, in all versions up to and including 1.2.8, contains a critical security vulnerability. It is used to manage user registration within a WordPress site, often for educational or community platforms.

What is the weakness in the Mentoring plugin (CVE-2025-13618)?

The vulnerability, identified as CVE-2025-13618, is a privilege escalation weakness (CWE-269). The plugin improperly allows any user to register with administrator-level roles, meaning an attacker could gain full control of a WordPress site without needing an account.

How could an attacker exploit this CVE-2025-13618 vulnerability?

An attacker could exploit this by exploiting the plugin's registration function, mentoring_process_registration(). They can bypass role restrictions to create a new user account with administrator privileges. This does not require any prior authentication or existing account on the WordPress site.

Who should be concerned about this WordPress vulnerability?

Anyone managing a WordPress site that uses the Mentoring plugin, especially those with internet-facing registration forms, should be concerned. The Halo Surface Signal indicates this is a 'Very likely' threat because public-facing WordPress sites often expose registration features, making the vulnerability accessible to any unauthenticated attacker.

What is the first step to address the Mentoring plugin vulnerability?

The immediate first step is to investigate all WordPress sites using the Mentoring plugin. If the plugin is in use, consider disabling the registration functionality or isolating the affected services until the plugin can be updated to a secure version, such as 1.2.9 or higher.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.