PT-2026-36948 · WordPress · Mentoring Plugin

Ismail Syaleh

Published

2026-05-05

Updated

2026-05-16

CVE-2025-13618

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Mentoring plugin for WordPress versions prior to 1.2.9

Description The plugin allows privilege escalation because the mentoring process registration() function does not properly restrict the roles users can select during registration. This flaw enables unauthenticated attackers to create accounts with administrator-level privileges.

Recommendations Update the plugin to a version later than 1.2.8. As a temporary workaround, restrict access to the registration functionality associated with the mentoring process registration() function.

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2025-13618

Affected Products

Mentoring Plugin

PT-2026-36948 · WordPress · Mentoring Plugin

CVE-2025-13618

Weakness Enumeration

Related Identifiers

Affected Products

References · 10