The vulnerability identified as CVE-2025-13540 affects the Tiare Membership plugin for WordPress, developed by Qode Interactive. This plugin is designed to manage membership functionalities on WordPress sites. The core issue lies in the 'tiare_membership_init_rest_api_register' function, which is responsible for handling user registrations via the REST API. Due to improper privilege management (CWE-269), this function fails to validate or restrict the user roles that can be assigned during registration. As a result, an unauthenticated attacker can craft a registration request specifying the 'administrator' role, thereby gaining full administrative privileges on the WordPress site without any authentication or user interaction. The vulnerability affects all versions up to and including 1.2 of the plugin. The CVSS v3.1 base score is 9.8, reflecting the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network vector, no privileges or user interaction required). While no public exploits have been reported yet, the severity and simplicity of exploitation make this a critical threat. The vulnerability allows attackers to fully compromise the site, potentially leading to data theft, site defacement, malware deployment, or pivoting to other internal systems. The lack of patch links indicates that a fix may not yet be publicly available, increasing the urgency for interim mitigations.

If exploited, this vulnerability would allow attackers to gain administrator-level access to affected WordPress sites, resulting in complete compromise. Attackers could steal sensitive data, modify or delete content, install backdoors or malware, disrupt site availability, and potentially use the compromised site as a launchpad for further attacks within an organization’s network. The integrity of the website and its data would be severely undermined, and the confidentiality of user information could be exposed. For organizations relying on WordPress for critical business functions, this could lead to reputational damage, regulatory penalties, and financial losses. Since the exploit requires no authentication or user interaction, the attack surface is broad, and automated exploitation attempts could be widespread once the vulnerability becomes publicly known. The impact extends beyond individual sites to any connected systems or services integrated with the compromised WordPress instance.

Organizations should immediately audit their WordPress installations to identify the presence of the Tiare Membership plugin, especially versions up to 1.2. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate the attack vector. Restrict access to the WordPress REST API endpoints related to user registration by implementing IP whitelisting, authentication requirements, or web application firewall (WAF) rules that block suspicious requests attempting to assign elevated roles. Monitor logs for unusual registration activity, particularly any attempts to register with the 'administrator' role. Employ strong network segmentation to limit the impact of a compromised WordPress site. Keep WordPress core and all plugins updated regularly, and subscribe to vendor advisories for timely patch releases. Additionally, implement multi-factor authentication (MFA) for all administrator accounts to reduce the risk of unauthorized access if exploitation occurs. Conduct regular security assessments and penetration tests focusing on privilege escalation vectors.