CVE-2025-13675 is a critical security vulnerability identified in the DirectoryThemes Tiger theme for WordPress, affecting all versions up to and including 101.2.1. The root cause is improper privilege management (CWE-269) in the 'paypal-submit.php' script, which does not validate or restrict the user role parameter during user registration. This oversight allows unauthenticated attackers to specify the 'administrator' role when registering a new user account, effectively granting themselves full administrative privileges on the affected WordPress site. The vulnerability requires no authentication or user interaction, making it trivially exploitable remotely over the network. The CVSS 3.1 base score of 9.8 reflects the critical nature of this flaw, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the simplicity of exploitation and the high impact make this a severe threat. The Tiger theme is widely used in WordPress sites that utilize DirectoryThemes products, which are popular for directory and listing websites. The vulnerability could lead to complete site takeover, data theft, defacement, or use of the site as a launchpad for further attacks. The lack of an official patch at the time of disclosure increases the urgency for administrators to apply temporary mitigations or monitor for suspicious registrations.

The impact of CVE-2025-13675 is severe for organizations worldwide using the DirectoryThemes Tiger WordPress theme. Successful exploitation results in full administrative access to the WordPress site by unauthenticated attackers, compromising confidentiality, integrity, and availability. Attackers can steal sensitive data, modify or delete content, install malicious plugins or backdoors, and disrupt website operations. This can lead to reputational damage, loss of customer trust, regulatory penalties, and financial losses. Organizations relying on the Tiger theme for critical business functions, especially those running directory or listing services, face heightened risks of service disruption and data breaches. The vulnerability's ease of exploitation and lack of authentication requirements make it attractive for widespread automated attacks, potentially affecting thousands of sites globally. Additionally, compromised sites could be leveraged for phishing, malware distribution, or lateral movement within corporate networks, amplifying the threat.

To mitigate CVE-2025-13675, organizations should immediately take the following specific actions: 1) Disable or restrict access to the 'paypal-submit.php' file until an official patch is released, using web server configuration or security plugins to block unauthorized requests. 2) Implement strict input validation and role assignment controls in the registration process to prevent role escalation, if custom modifications are possible. 3) Monitor user registrations closely for any accounts assigned the 'administrator' role and remove suspicious accounts promptly. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit this vulnerability by filtering requests containing role parameters in registration. 5) Keep WordPress core, themes, and plugins updated and subscribe to DirectoryThemes security advisories for timely patch releases. 6) Conduct regular security audits and penetration tests focusing on privilege escalation vectors. 7) Enforce multi-factor authentication (MFA) for all administrative accounts to reduce the impact of compromised credentials. 8) Backup website data frequently and maintain offline copies to enable rapid recovery in case of compromise. These targeted mitigations go beyond generic advice by focusing on the vulnerable component and attack vector specific to this flaw.