Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the vulnerable Mentoring plugin (version <= 1.2.8).
2. The attacker crafts a malicious HTTP POST request targeting the registration endpoint associated with the mentoring_process_registration() function.
3. The crafted request includes parameters designed to register a new user account with administrator privileges.
4. Due to the insufficient role validation within the mentoring_process_registration() function, the plugin allows the attacker to specify the ‘administrator’ role during registration.
5. The plugin creates a new user account in the WordPress database with the specified administrator role.
6. The attacker logs into the WordPress site using the newly created administrator account.
7. The attacker gains full control over the WordPress site, including the ability to modify content, install plugins, and manage user accounts.

Impact

Successful exploitation of this vulnerability grants unauthenticated attackers complete administrative control over the affected WordPress website. This can lead to a range of malicious activities, including defacement, data theft, installation of malware, and denial of service. The impact is significant due to the ease of exploitation and the potential for widespread compromise of websites using the vulnerable plugin.

Recommendation

• Immediately update the Mentoring plugin for WordPress to the latest version (greater than 1.2.8) to patch CVE-2025-13618.
• Deploy the Sigma rule Detect WordPress Mentoring Plugin Admin Registration to identify potential exploitation attempts targeting the mentoring_process_registration() function.
• Monitor WordPress access logs for suspicious registration attempts targeting the vulnerable plugin.