Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2025-13618
Critical
Low
Medium
High
Critical
9.8
CVSS Score
Vulnerability Description
The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
H
References & Resources
-
https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.htmlsecurity@wordfence.com
-
https://themeforest.net/item/mentoring-education-wordpress-theme/36457081security@wordfence.com
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cvesecurity@wordfence.com
Severity Details
9.8
out of 10.0
Critical
Weakness Type (CWE)
CWE-269
Top 25 #25
Improper Privilege Management
- Description
- The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
- Exploit Likelihood
- Medium
- Typical Severity
- High
- OWASP Top 10
- A01:2021-Broken Access Control
- Abstraction Level
- Class
Key Information
- Published Date
- May 05, 2026
