CVE-2025-13619 in Flex Store Users Plugin
Summary
by MITRE • 12/20/2025
The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/21/2025
The vulnerability identified as CVE-2025-13619 affects the Flex Store Users plugin for WordPress, representing a critical privilege escalation flaw that compromises the integrity of user authentication mechanisms. This vulnerability exists within all versions up to and including 1.1.0 of the plugin, making it a widespread concern for WordPress installations that utilize this particular user management solution. The flaw stems from inadequate input validation and role restriction within the plugin's core functionality, specifically targeting the fsUserHandle::signup and fsSellerRole::add_role_seller functions that handle user registration processes.
The technical implementation of this vulnerability allows unauthenticated attackers to manipulate the registration process by exploiting the absence of proper role validation during user creation. When the fs_type parameter is utilized in conjunction with the Flex Store Seller plugin, attackers can submit malicious role parameters that bypass the normal WordPress user role restrictions. This occurs because the plugin fails to validate or sanitize the role parameter provided during registration, enabling attackers to specify administrator privileges directly during the sign-up process. The vulnerability essentially removes the security boundary that normally prevents users from self-assigning elevated privileges, creating a direct path to administrative access without proper authentication.
From an operational perspective, this vulnerability poses an extremely high risk to WordPress sites as it allows complete compromise of the administrative interface without requiring any prior access credentials. An attacker can simply visit the registration page, manipulate the fs_type parameter to include administrator role assignment, and gain full control over the WordPress installation. This threat vector is particularly dangerous because it can be exploited by anyone with access to the website's registration functionality, making it a zero-day vulnerability that can be weaponized immediately upon discovery. The impact extends beyond simple privilege escalation to include potential data theft, site defacement, malware installation, and complete system compromise.
The vulnerability aligns with CWE-264, which describes "Permissions, Privileges, and Access Controls" weaknesses, specifically highlighting the failure to enforce proper access control mechanisms during user registration processes. From the MITRE ATT&CK framework perspective, this vulnerability maps to T1078.004, "Valid Accounts: Cloud Accounts," and T1484.001, "Abuse of Functionality: Group Policy Modification," as it enables attackers to gain administrative privileges through legitimate user registration pathways. Organizations should immediately implement mitigations including plugin version updates, input validation enforcement, and network-level restrictions to prevent exploitation. The recommended remediation includes upgrading to the latest plugin version that addresses the role validation flaw, implementing additional authentication layers, and conducting thorough security audits of all user registration endpoints to ensure proper privilege enforcement mechanisms are in place.