CVE-2025-13851 is a critical improper privilege management vulnerability (CWE-269) in the Buyent Classified WordPress plugin bundled with the Buyent theme. The plugin fails to validate or restrict the user role during user registration via its REST API endpoint, allowing unauthenticated attackers to specify arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter. This results in privilege escalation, granting attackers complete administrative control over the WordPress site. The vulnerability affects all versions up to and including 1.0.7. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting network attack vector, low complexity, no privileges or user interaction required, and full confidentiality, integrity, and availability impact. No patch or official fix is currently documented.

Exploitation of this vulnerability allows unauthenticated attackers to create accounts with arbitrary roles, including administrator, on affected WordPress sites using the Buyent Classified plugin. This grants attackers full control over the site, enabling them to modify content, install malicious code, and compromise site integrity, confidentiality, and availability. The impact is critical due to the complete takeover potential without any authentication or user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the REST API registration endpoint if possible, and monitor for unauthorized user registrations. Consider disabling or removing the Buyent Classified plugin if it is not essential. Apply strict role assignment policies and validate user roles manually if feasible. Avoid using affected versions (up to 1.0.7) in production environments.