CVE-2025-13538

Name of the Vulnerable Software and Affected Versions FindAll Listing versions prior to 1.0.6

Description The FindAll Listing plugin for WordPress is susceptible to a privilege escalation issue. This occurs because the findall listing user registration additional params function does not properly limit the user roles that can be selected during registration. This allows unauthenticated attackers to assign themselves the 'administrator' role during the registration process, thereby gaining administrative access to the WordPress site. This exploitation is only possible if the FindAll Membership plugin is also active, as it handles the user registration process.

Recommendations Versions prior to 1.0.6 should be updated. As a temporary measure, disable user registration functionality.