CVE-2025-13851: CWE-269 Improper Privilege Management in scriptsbundle Buyent
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
AI Analysis
Technical Summary
CVE-2025-13851 is a critical security vulnerability classified under CWE-269 (Improper Privilege Management) found in the Buyent Classified plugin for WordPress, which is bundled with the Buyent theme. The vulnerability exists in all versions up to and including 1.0.7. The root cause is the plugin's failure to validate or restrict the user role parameter during the registration process via the REST API endpoint. Specifically, attackers can manipulate the _buyent_classified_user_type parameter to assign themselves arbitrary roles, including administrator privileges, without any authentication or user interaction. This results in a privilege escalation attack vector that allows complete takeover of the WordPress site. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, as reflected in the CVSS 3.1 score of 9.8 (critical). The impact includes full compromise of site confidentiality, integrity, and availability, enabling attackers to modify content, install malicious code, steal sensitive data, or disrupt services. No patches or official fixes are currently linked, and no known exploits have been observed in the wild, but the vulnerability's nature makes it a high-risk target for attackers. The vulnerability was reserved in December 2025 and published in February 2026 by Wordfence, a reputable security source.
Potential Impact
For European organizations, this vulnerability poses a significant threat, especially those relying on WordPress sites with the Buyent theme and Classified plugin. Successful exploitation can lead to complete site takeover, allowing attackers to deface websites, steal or manipulate sensitive data, deploy malware, or use the compromised site as a launchpad for further attacks within the organization's network. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and operational disruptions. Public-facing websites of businesses, government agencies, and e-commerce platforms are particularly vulnerable. The ease of exploitation and lack of authentication requirements increase the likelihood of automated attacks targeting vulnerable installations. Given WordPress's widespread use in Europe, the potential impact is broad, affecting small to large enterprises and critical infrastructure reliant on web presence.
Mitigation Recommendations
Immediate mitigation steps include disabling user registration on affected WordPress sites if not required. If registration is necessary, implement custom validation to restrict user roles during registration, ensuring only default or safe roles are assigned. Monitor and restrict access to the REST API endpoints related to user registration, possibly via web application firewalls (WAFs) or security plugins that can filter malicious requests. Regularly audit user accounts for unauthorized administrator roles and remove suspicious accounts promptly. Since no official patch is currently available, organizations should consider applying custom code fixes to validate the _buyent_classified_user_type parameter or temporarily switch to alternative themes/plugins until a vendor patch is released. Additionally, maintain up-to-date backups and monitor logs for unusual registration activity. Engage with the plugin vendor or community for updates and patches. Employ network-level protections such as IP reputation filtering and rate limiting to reduce attack surface.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2025-13851: CWE-269 Improper Privilege Management in scriptsbundle Buyent
Description
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
AI-Powered Analysis
Technical Analysis
CVE-2025-13851 is a critical security vulnerability classified under CWE-269 (Improper Privilege Management) found in the Buyent Classified plugin for WordPress, which is bundled with the Buyent theme. The vulnerability exists in all versions up to and including 1.0.7. The root cause is the plugin's failure to validate or restrict the user role parameter during the registration process via the REST API endpoint. Specifically, attackers can manipulate the _buyent_classified_user_type parameter to assign themselves arbitrary roles, including administrator privileges, without any authentication or user interaction. This results in a privilege escalation attack vector that allows complete takeover of the WordPress site. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, as reflected in the CVSS 3.1 score of 9.8 (critical). The impact includes full compromise of site confidentiality, integrity, and availability, enabling attackers to modify content, install malicious code, steal sensitive data, or disrupt services. No patches or official fixes are currently linked, and no known exploits have been observed in the wild, but the vulnerability's nature makes it a high-risk target for attackers. The vulnerability was reserved in December 2025 and published in February 2026 by Wordfence, a reputable security source.
Potential Impact
For European organizations, this vulnerability poses a significant threat, especially those relying on WordPress sites with the Buyent theme and Classified plugin. Successful exploitation can lead to complete site takeover, allowing attackers to deface websites, steal or manipulate sensitive data, deploy malware, or use the compromised site as a launchpad for further attacks within the organization's network. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), financial losses, and operational disruptions. Public-facing websites of businesses, government agencies, and e-commerce platforms are particularly vulnerable. The ease of exploitation and lack of authentication requirements increase the likelihood of automated attacks targeting vulnerable installations. Given WordPress's widespread use in Europe, the potential impact is broad, affecting small to large enterprises and critical infrastructure reliant on web presence.
Mitigation Recommendations
Immediate mitigation steps include disabling user registration on affected WordPress sites if not required. If registration is necessary, implement custom validation to restrict user roles during registration, ensuring only default or safe roles are assigned. Monitor and restrict access to the REST API endpoints related to user registration, possibly via web application firewalls (WAFs) or security plugins that can filter malicious requests. Regularly audit user accounts for unauthorized administrator roles and remove suspicious accounts promptly. Since no official patch is currently available, organizations should consider applying custom code fixes to validate the _buyent_classified_user_type parameter or temporarily switch to alternative themes/plugins until a vendor patch is released. Additionally, maintain up-to-date backups and monitor logs for unusual registration activity. Engage with the plugin vendor or community for updates and patches. Employ network-level protections such as IP reputation filtering and rate limiting to reduce attack surface.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-01T20:07:37.511Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699697f36aea4a407a3be048
Added to database: 2/19/2026, 4:56:19 AM
Last enriched: 2/19/2026, 5:11:51 AM
Last updated: 2/20/2026, 9:50:24 PM
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2858: Out-of-Bounds Read in wren-lang wren
MediumCVE-2026-27120: CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in vapor leaf-kit
MediumCVE-2026-27118: CWE-346: Origin Validation Error in sveltejs kit
MediumCVE-2026-27112: CWE-863: Incorrect Authorization in akuity kargo
CriticalCVE-2026-27111: CWE-862: Missing Authorization in akuity kargo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.