Urgent: Critical Privilege Escalation Vulnerability in Tiger WordPress Theme (CVE-2025-13675)

Overview

A critical vulnerability, identified as CVE-2025-13675, has been discovered in the Tiger theme for WordPress. This vulnerability allows unauthenticated attackers to escalate their privileges to administrator level, potentially leading to complete site compromise. All versions of the Tiger theme up to and including version 101.2.1 are affected. This security flaw poses a significant risk to websites using the vulnerable theme, emphasizing the immediate need for mitigation.

Technical Details

The vulnerability stems from a flaw in the paypal-submit.php file. This file is responsible for handling user registration, but it lacks proper validation and authorization checks. Specifically, it does not restrict the user roles that a new user can register with. An unauthenticated attacker can exploit this by crafting a malicious registration request that includes the ‘administrator’ role. When the vulnerable script processes this request without validation, a new administrator account is created, granting the attacker complete control over the WordPress site.

CVSS Analysis

• CVE ID: CVE-2025-13675
• Severity: CRITICAL
• CVSS Score: 9.8

A CVSS score of 9.8 indicates a critical severity level. This score reflects the ease of exploitation (no authentication required) and the high impact on confidentiality, integrity, and availability of the affected system.

Possible Impact

Successful exploitation of this vulnerability can have severe consequences:

• Complete Website Takeover: Attackers can gain full administrative access, allowing them to modify website content, install malicious plugins, and redirect traffic.
• Data Breach: Sensitive data, including user information and database contents, could be compromised.
• Malware Distribution: The website could be used to distribute malware to visitors.
• Denial of Service: Attackers can disable or disrupt the website’s functionality.
• SEO Poisoning: Injection of malicious content can damage the website’s search engine rankings and reputation.

Mitigation and Patch Steps

1. Update Immediately: Check for updates to the Tiger WordPress theme. If a patched version is available (later than 101.2.1), update immediately.
2. Disable Registration (Temporary): As an immediate workaround, disable user registration if it is not essential for your website’s functionality. This can be done in the WordPress settings under “General”.
3. Web Application Firewall (WAF): Implement a Web Application Firewall (WAF) with rules to detect and block malicious registration requests attempting to set the ‘administrator’ role. Wordfence offers rules that can detect and block this type of attack.
4. Review User Accounts: Regularly review user accounts for any unauthorized administrator accounts.
5. Code Review (Advanced): If possible, conduct a code review of the `paypal-submit.php` file to identify and fix the vulnerability directly. (Only recommended for advanced users with PHP development experience).