CVE-2025-13619 is a critical security vulnerability classified under CWE-269 (Improper Privilege Management) found in the Flex Store Users plugin for WordPress, developed by CMSSuperHeroes. The vulnerability affects all versions up to and including 1.1.0. The root cause lies in the 'fsUserHandle::signup' and 'fsSellerRole::add_role_seller' functions, which fail to enforce restrictions on the user roles that can be assigned during the registration process. Specifically, these functions allow unauthenticated users to specify the 'administrator' role when registering, thereby granting themselves full administrative privileges on the WordPress site. This flaw can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers. Additionally, if the Flex Store Seller plugin is also activated, the vulnerability can be triggered using the 'fs_type' parameter, broadening the attack surface. The vulnerability has been assigned a CVSS v3.1 base score of 9.8, reflecting its critical severity with network attack vector, no required privileges, no user interaction, and full impact on confidentiality, integrity, and availability. Although no active exploits have been reported in the wild, the ease of exploitation and the high impact make this a significant threat to affected WordPress sites. No official patches were linked at the time of publication, emphasizing the need for immediate attention from site administrators.

The impact of CVE-2025-13619 is severe and wide-ranging. Successful exploitation allows an unauthenticated attacker to gain full administrative control over a WordPress site running the vulnerable Flex Store Users plugin. This level of access enables attackers to modify site content, install malicious plugins or backdoors, exfiltrate sensitive data, disrupt site availability, and potentially pivot to other parts of the hosting environment. For organizations, this can result in data breaches, defacement, loss of customer trust, regulatory penalties, and significant remediation costs. Since WordPress powers a substantial portion of websites globally, including e-commerce, corporate, and governmental sites, the potential scale of impact is extensive. The vulnerability's ease of exploitation and lack of required authentication increase the likelihood of automated attacks and mass exploitation campaigns once public exploit code becomes available.

To mitigate CVE-2025-13619, organizations should immediately update the Flex Store Users plugin to a patched version once released by CMSSuperHeroes. Until a patch is available, administrators should consider disabling or uninstalling the Flex Store Users plugin and the Flex Store Seller plugin if installed. As an interim measure, restrict access to the WordPress registration page via IP whitelisting or CAPTCHA to deter automated exploitation. Review and harden user role assignment logic by implementing custom code or security plugins that validate and restrict roles assigned during registration. Monitor WordPress user accounts for unauthorized administrator additions and audit logs for suspicious activity. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit the 'fs_type' parameter or unusual registration requests. Regularly back up site data and configurations to enable rapid recovery in case of compromise.