CVE-2025-13538 is a critical security vulnerability identified in the FindAll Listing plugin for WordPress, developed by Elated Themes. This vulnerability is classified under CWE-269 (Improper Privilege Management) and affects all plugin versions up to and including 1.0.5. The root cause lies in the 'findall_listing_user_registration_additional_params' function, which fails to properly restrict the user roles that can be assigned during the registration process. Specifically, it allows unauthenticated attackers to supply the 'administrator' role parameter during user registration, thereby escalating their privileges to full administrative access on the WordPress site. However, exploitation is contingent on the FindAll Membership plugin also being activated, as this plugin manages the user registration functionality. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its critical severity with an attack vector that requires no authentication or user interaction, and impacts confidentiality, integrity, and availability at the highest levels. Although no known exploits are currently reported in the wild, the flaw presents a significant risk due to the ease of exploitation and the potential for complete site takeover. The vulnerability was publicly disclosed on November 27, 2025, with no official patches released at the time of reporting. This vulnerability highlights a severe design flaw in privilege management within the plugin's user registration process, making it a high-priority issue for site administrators using these plugins.

The impact of CVE-2025-13538 is severe for organizations running WordPress sites with the FindAll Listing and FindAll Membership plugins installed. An attacker can gain full administrative privileges without authentication, enabling them to control the entire website. This includes the ability to modify or delete content, install malicious plugins or backdoors, steal sensitive data, disrupt site availability, and potentially pivot to other internal systems if the WordPress site is part of a larger network. The compromise of administrator accounts can lead to long-term persistence and widespread damage. Given WordPress's widespread use across industries, including e-commerce, media, education, and government, the vulnerability poses a significant risk to confidentiality, integrity, and availability of affected sites globally. The ease of exploitation and lack of required user interaction further exacerbate the threat, making it attractive for attackers to exploit rapidly once publicized. Organizations that rely on these plugins for membership and listing functionalities face an urgent need to address this vulnerability to prevent full site compromise.

To mitigate CVE-2025-13538, organizations should immediately disable user registration functionality within the FindAll Membership plugin if possible, to prevent exploitation. If disabling registration is not feasible, temporarily deactivate the FindAll Listing and FindAll Membership plugins until a security patch is released by Elated Themes. Administrators should monitor official vendor channels for updates and apply patches promptly once available. Additionally, implement strict monitoring and alerting for suspicious user account creations, especially those with elevated privileges. Employ web application firewalls (WAFs) with custom rules to block requests attempting to assign the 'administrator' role during registration. Conduct thorough audits of existing user accounts to identify and remove any unauthorized administrator accounts created prior to mitigation. Finally, ensure that WordPress core and all plugins are kept up to date, and consider restricting plugin installations to trusted sources only. These steps go beyond generic advice by focusing on immediate containment, proactive detection, and strict access control tailored to this specific vulnerability.