Cybersecurity Vulnerabilities

Urgent Security Alert: Critical Privilege Escalation Vulnerability in FindAll Listing WordPress Plugin (CVE-2025-13538)

November 27, 2025 - By 

Overview

A critical security vulnerability, identified as CVE-2025-13538, has been discovered in the FindAll Listing plugin for WordPress. This vulnerability allows unauthenticated attackers to escalate their privileges to administrator level, potentially compromising the entire website. This affects all versions up to, and including, 1.0.5. Crucially, this vulnerability is only exploitable when the FindAll Membership plugin is also active.

Technical Details

The vulnerability stems from the findall_listing_user_registration_additional_params function within the FindAll Listing plugin. This function fails to properly restrict the user roles that can be assigned during user registration. An attacker can exploit this by submitting the ‘administrator’ role during the registration process when the FindAll Membership plugin is active. Because the registration process within the FindAll Listing plugin depends on the FindAll Membership plugin, the vulnerability only manifests when both plugins are enabled.

CVSS Analysis

  • CVE ID: CVE-2025-13538
  • Severity: CRITICAL
  • CVSS Score: 9.8

A CVSS score of 9.8 indicates a critical vulnerability. This means it’s easily exploitable, requires no user interaction, and can lead to complete system compromise.

Possible Impact

Successful exploitation of this vulnerability can have devastating consequences, including:

  • Complete website takeover: An attacker gaining administrator access can modify any aspect of the website, including content, settings, and plugins.
  • Data theft: Sensitive data stored on the website, such as user information and financial details, could be stolen.
  • Malware distribution: The attacker could inject malicious code into the website to infect visitors.
  • SEO manipulation: The website’s search engine ranking could be negatively impacted through spam injection or other malicious activities.
  • Defacement: The attacker could deface the website, damaging its reputation.

Mitigation and Patch Steps

The recommended mitigation steps are as follows:

  • Update the FindAll Listing plugin: Check for updates to the FindAll Listing plugin through your WordPress dashboard. If a version later than 1.0.5 is available, update immediately. Check the changelog to confirm the vulnerability is addressed.
  • Disable the FindAll Listing plugin: If an update is not yet available, disable the FindAll Listing plugin as a temporary measure to prevent exploitation. Note this will also disable the functionality of the plugin.
  • Disable the FindAll Membership plugin: If you are not actively using the FindAll Membership plugin, disable it. The vulnerability is only exploitable when both plugins are active.
  • Review User Accounts: Check for any newly created administrator accounts that you don’t recognize. Remove them immediately.
  • Implement a Web Application Firewall (WAF): A WAF can help detect and block malicious requests targeting this vulnerability.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *