CVE-2025-13091 is a vulnerability classified under CWE-15 (External Control of System or Configuration Setting) found in the Shopire WordPress theme developed by wpfable. The issue stems from the shopire_admin_install_plugin() function lacking proper capability checks, which means that users authenticated with Subscriber-level permissions or higher can exploit this flaw to install the 'fable-extra' plugin without administrative privileges. Since WordPress Subscriber roles typically have very limited permissions, this vulnerability effectively escalates their ability to modify the system by installing plugins, which can introduce malicious code or backdoors. The vulnerability affects all versions of Shopire up to and including 1.0.57. The attack vector is network-based and does not require user interaction, making it easier for attackers to exploit remotely. The CVSS 3.1 base score is 4.3, indicating a medium severity with low complexity of attack (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The impact is primarily on integrity, as attackers can alter system configuration by installing unauthorized plugins, but there is no direct impact on confidentiality or availability. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. This vulnerability highlights the risk of insufficient permission checks in WordPress themes, which can undermine the security model of WordPress roles and permissions.

For European organizations, this vulnerability can lead to unauthorized plugin installations on WordPress sites using the Shopire theme, potentially allowing attackers to execute malicious code, create backdoors, or manipulate site behavior. This compromises the integrity of the affected websites and may lead to further exploitation such as data tampering or pivoting within the network. Although the vulnerability does not directly impact confidentiality or availability, the unauthorized plugin installation can serve as a foothold for more severe attacks. Organizations relying on WordPress for e-commerce, content management, or customer interaction could face reputational damage, loss of customer trust, and regulatory scrutiny under GDPR if personal data is indirectly compromised. The ease of exploitation by low-privilege users increases the risk, especially in environments where user account management is lax or where Subscriber accounts are widely issued. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

1. Immediately update the Shopire theme to a patched version once available from the vendor or consider temporarily disabling the theme if patching is not possible. 2. Restrict the issuance of Subscriber-level accounts and audit existing accounts to ensure only trusted users have such access. 3. Implement strict role-based access controls and monitor plugin installation activities via WordPress audit logs or security plugins. 4. Use a Web Application Firewall (WAF) to detect and block unauthorized plugin installation attempts targeting the vulnerable function. 5. Regularly scan WordPress installations for unauthorized or suspicious plugins, especially the 'fable-extra' plugin mentioned in the vulnerability. 6. Harden WordPress installations by disabling plugin installations for non-administrative users through custom code or security plugins. 7. Educate site administrators and users about the risks of privilege escalation and the importance of strong account management. 8. Monitor security advisories from wpfable and WordPress security communities for updates or exploit disclosures related to this vulnerability.