CVE-2025-13540

Name of the Vulnerable Software and Affected Versions Tiare Membership versions prior to 1.3

Description The Tiare Membership plugin for WordPress is affected by a privilege escalation issue. This is due to the tiare membership init rest api register function not properly restricting user roles during registration. Unauthenticated attackers can exploit this by supplying the 'administrator' role during registration, gaining administrative access to the site. The vulnerability affects sites using the Tiare Membership plugin for WordPress. The issue is related to the processing of user registration requests through the REST API. Specifically, the tiare membership init rest api register function does not validate or limit the user role parameter provided during registration. This allows an attacker to create a registration request specifying the 'administrator' role, effectively bypassing standard authentication and authorization mechanisms. Successful exploitation grants an unauthenticated attacker full control over the WordPress site, including the ability to install malicious plugins, modify content, steal sensitive data, or disrupt site operations.

Recommendations Versions prior to 1.3: Disable the Tiare Membership plugin until Qode Interactive releases a fix. Versions prior to 1.3: Restrict access to the registration REST API endpoint using firewalls or access control mechanisms at the server level.