What is the CVSS score of CVE-2025-13618?

CVE-2025-13618 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Mentoring (WordPress) are affected by CVE-2025-13618?

The Mentoring theme for WordPress (versions ≤1.2.8) contains a critical privilege escalation vulnerability that allows unauthenticated attackers to create administrator accounts and achieve complete…

How to fix or mitigate CVE-2025-13618?

Within 24 hours: Disable user registration on all affected WordPress sites or restrict access to the Mentoring theme via Web Application Firewall rules blocking the mentoring_process_registration() function. Within 7 days: Audit all administrator accounts created in the past 30 days for suspicious activity; review access logs for unauthorized admin creation attempts. Contact the theme developer for patch availability and timeline; consider switching to alternative maintained themes if no patch is released within 14 days. Within 30 days: Migrate to a patched or alternative theme version or remove the Mentoring theme entirely from all WordPress installations.

Mentoring (WordPress) CVE-2025-13618

EUVD-2025-209637 CRITICAL

Improper Privilege Management (CWE-269)

2026-05-05 Wordfence

GHSA-28c2-5wc6-j4hm

WordPress Privilege Escalation

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 05, 2026 - 03:31 vuln.today

DescriptionNVD

The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

AnalysisAI

Privilege escalation in Mentoring theme for WordPress (all versions ≤1.2.8) allows unauthenticated remote attackers to create administrator accounts via broken registration role validation in mentoring_process_registration(). The flaw bypasses normal WordPress role restrictions, enabling complete site takeover without requiring any authentication or user interaction. CVSS 9.8 (critical) with network attack vector and no complexity barriers. EPSS and KEV data not provided, but the combination of unauthenticated admin account creation represents an imminent site compromise risk for all installations with registration enabled.

Technical ContextAI

This vulnerability stems from improper privilege management (CWE-269) in the Mentoring WordPress theme's user registration handler. WordPress plugins and themes typically use wp_insert_user() or similar functions to create accounts, which should enforce role restrictions through capability checks and sanitize user-supplied role parameters. The mentoring_process_registration() function fails to validate or sanitize role assignments during registration, allowing attackers to specify arbitrary roles in registration requests. Affected product per CPE data: Mentoring theme by DreamsTechnologies (all versions through 1.2.8). This is a commercial theme distributed via ThemeForest, not a standalone plugin despite the description terminology, which affects deployment patterns and update mechanisms.

RemediationAI

Vendor changelog should be consulted at https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html for patched version release (likely 1.2.9 or higher, though not confirmed in provided data). Commercial theme users must manually download updates from ThemeForest account or via theme's update mechanism. Immediate mitigation if patch unavailable: disable WordPress user registration in Settings → General → 'Anyone can register' (set to unchecked). This completely eliminates the attack vector with no functionality loss for sites not requiring public registration. If registration is business-required, implement registration whitelist via alternative plugins with proper role validation, and disable Mentoring's built-in registration handler. Consider adding Web Application Firewall rules to block POST requests to mentoring_process_registration with non-subscriber role parameters. Note that disabling registration may impact legitimate user onboarding workflows for education/mentoring platforms where this theme is typically deployed.

More from same product – last 7 days

CVE-2026-7862 HIGH This Week POC

8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t

CVE-2026-8760 CRITICAL Act Now

9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic

CVE-2026-42727 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl

CVE-2026-42761 CRITICAL Act Now

9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

CVE-2026-8832 HIGH This Week

8.8 May 27

Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run

CVE-2025-13618 vulnerability details – vuln.today

Back

Mentoring (WordPress) CVE-2025-13618

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code