CVE-2025-13675 is a critical security vulnerability identified in the DirectoryThemes Tiger WordPress theme, affecting all versions up to and including 101.2.1. The root cause is improper privilege management (CWE-269) in the 'paypal-submit.php' script, which fails to enforce restrictions on the user roles that can be assigned during the registration process. Specifically, this allows an unauthenticated attacker to specify the 'administrator' role when registering a new user account, thereby escalating privileges from an unauthenticated state to full administrative control of the WordPress site. This vulnerability does not require any prior authentication or user interaction, making exploitation straightforward and highly impactful. The CVSS v3.1 base score is 9.8, reflecting the vulnerability's ease of exploitation (network vector, low attack complexity), lack of required privileges or user interaction, and its severe impact on confidentiality, integrity, and availability. Although no active exploits have been reported in the wild, the vulnerability's critical nature and the popularity of WordPress and DirectoryThemes Tiger theme make it a significant threat. The vulnerability enables attackers to fully compromise the site, potentially leading to data theft, site defacement, malware distribution, or use of the site as a launchpad for further attacks.

For European organizations, this vulnerability poses a severe risk, particularly for those running WordPress sites with the Tiger theme that allow user registrations. Successful exploitation results in full administrative access, enabling attackers to manipulate site content, steal sensitive data, disrupt services, or deploy malicious payloads. This can lead to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and operational disruptions. Public sector websites, e-commerce platforms, and organizations handling personal or financial data are especially vulnerable. The ease of exploitation and lack of authentication requirements increase the likelihood of attacks, potentially leading to widespread compromise across organizations using this theme. Additionally, the vulnerability could be leveraged for lateral movement within networks if the WordPress site is integrated with internal systems.

Immediate mitigation steps include disabling user registrations on affected WordPress sites until a patch is available. Administrators should audit the 'paypal-submit.php' file and implement strict role assignment controls, ensuring that user roles cannot be arbitrarily set during registration. Applying principle of least privilege by restricting new user roles to non-administrative levels is critical. Monitoring logs for suspicious registration attempts specifying elevated roles can help detect exploitation attempts. Organizations should subscribe to DirectoryThemes and WordPress security advisories to apply patches promptly once released. Employing Web Application Firewalls (WAFs) with custom rules to block requests attempting to assign administrator roles during registration can provide temporary protection. Regular security audits and penetration testing focusing on user registration flows are recommended to identify similar weaknesses. Finally, organizations should have incident response plans ready to address potential compromises resulting from this vulnerability.