{"api_version":"1","generated_at":"2026-05-05T12:40:07+00:00","cve":"CVE-2025-13618","urls":{"html":"https://cve.report/CVE-2025-13618","api":"https://cve.report/api/cve/CVE-2025-13618.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-13618","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-13618"},"summary":{"title":"Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration","description":"The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-05-05 03:15:58","updated_at":"2026-05-05 03:15:58"},"problem_types":["CWE-269","CWE-269 CWE-269 Improper Privilege Management"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Primary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html","name":"https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://themeforest.net/item/mentoring-education-wordpress-theme/36457081","name":"https://themeforest.net/item/mentoring-education-wordpress-theme/36457081","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-13618","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-13618","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"dreamstechnologies","product":"Mentoring","version":"affected 1.2.8 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-05-04T13:32:59.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Ismail Syaleh","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mentoring","vendor":"dreamstechnologies","versions":[{"lessThanOrEqual":"1.2.8","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Ismail Syaleh"}],"descriptions":[{"lang":"en","value":"The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts."}],"metrics":[{"cvssV3_1":{"baseScore":9.8,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-269","description":"CWE-269 Improper Privilege Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-05T02:26:55.265Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve"},{"url":"https://themeforest.net/item/mentoring-education-wordpress-theme/36457081"},{"url":"https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html"}],"timeline":[{"lang":"en","time":"2026-05-04T13:32:59.000Z","value":"Disclosed"}],"title":"Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2025-13618","datePublished":"2026-05-05T02:26:55.265Z","dateReserved":"2025-11-24T19:59:15.187Z","dateUpdated":"2026-05-05T02:26:55.265Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-05 03:15:58","lastModifiedDate":"2026-05-05 03:15:58","problem_types":["CWE-269","CWE-269 CWE-269 Improper Privilege Management"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"13618","Ordinal":"1","Title":"Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in men","CVE":"CVE-2025-13618","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"13618","Ordinal":"1","NoteData":"The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.","Type":"Description","Title":"Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in men"}]}}}