Skip to content
Threat Feed
critical advisory

WordPress Mentoring Plugin Privilege Escalation Vulnerability

The Mentoring plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to register with administrator-level user accounts due to improper role restriction in the mentoring_process_registration() function.

The Mentoring plugin for WordPress, versions 1.2.8 and earlier, contains a critical vulnerability (CVE-2025-13618) that allows unauthenticated attackers to escalate privileges. This flaw resides in the mentoring_process_registration() function, which fails to properly restrict the roles that new users can register with. By exploiting this vulnerability, an attacker can bypass authentication and directly create administrator accounts, granting them full control over the affected WordPress site. This vulnerability was reported by Wordfence.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site using the vulnerable Mentoring plugin (version <= 1.2.8).
  2. The attacker crafts a malicious HTTP POST request targeting the registration endpoint associated with the mentoring_process_registration() function.
  3. The crafted request includes parameters designed to register a new user account with administrator privileges.
  4. Due to the insufficient role validation within the mentoring_process_registration() function, the plugin allows the attacker to specify the ‘administrator’ role during registration.
  5. The plugin creates a new user account in the WordPress database with the specified administrator role.
  6. The attacker logs into the WordPress site using the newly created administrator account.
  7. The attacker gains full control over the WordPress site, including the ability to modify content, install plugins, and manage user accounts.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers complete administrative control over the affected WordPress website. This can lead to a range of malicious activities, including defacement, data theft, installation of malware, and denial of service. The impact is significant due to the ease of exploitation and the potential for widespread compromise of websites using the vulnerable plugin.

Recommendation

  • Immediately update the Mentoring plugin for WordPress to the latest version (greater than 1.2.8) to patch CVE-2025-13618.
  • Deploy the Sigma rule Detect WordPress Mentoring Plugin Admin Registration to identify potential exploitation attempts targeting the mentoring_process_registration() function.
  • Monitor WordPress access logs for suspicious registration attempts targeting the vulnerable plugin.

Detection coverage 2

Detect WordPress Mentoring Plugin Admin Registration

critical

Detects attempts to register a new admin user via the vulnerable Mentoring plugin registration endpoint.

sigma tactics: privilege_escalation techniques: T1068 sources: webserver, linux

Detect WordPress Mentoring Plugin Registration Endpoint Access

medium

Detects access to the WordPress Mentoring plugin registration endpoint, which may indicate attempts to exploit privilege escalation vulnerabilities.

sigma tactics: discovery techniques: T1068 sources: webserver, linux

Detection queries are kept inside the platform. Get full rules →