PT-2025-52547 · WordPress+1 · Flex Store Users+1
Ismail Syaleh
·
Published
2025-12-20
·
Updated
2026-01-02
·
CVE-2025-13619
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Flex Store Users plugin for WordPress versions prior to 1.1.1
Description
The Flex Store Users plugin for WordPress is susceptible to privilege escalation. Unauthenticated attackers can register with the 'administrator' role during registration, gaining administrator access to the site. This is due to insufficient restrictions within the
fsUserHandle::signup and fsSellerRole::add role seller functions regarding user role registration. The fs type parameter is involved when the Flex Store Seller plugin is also activated.Recommendations
Versions prior to 1.1.1 should be updated.
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flex Store Seller
Flex Store Users