CVE-2025-13851

Name of the Vulnerable Software and Affected Versions Buyent Classified plugin for WordPress versions up to and including 1.0.7

Description The Buyent Classified plugin for WordPress, when bundled with the Buyent theme, has a flaw that allows unauthorized privilege escalation through the user registration process. The plugin does not properly validate or restrict user roles during registration via the REST API. An attacker can manipulate the buyent classified user type parameter during registration to assign themselves arbitrary roles, including administrator, gaining complete control of the WordPress site. This occurs because the registration process lacks sufficient authentication checks.

Recommendations Update the Buyent Classified plugin to a version later than 1.0.7.