CVE-2025-13618: WordPress Mentoring Plugin Allows Admin Account Registration
The Mentoring plugin for WordPress, in all versions up to and including 1.2.8, is critically vulnerable to privilege escalation. The National Vulnerability Database reports that this flaw, tracked as CVE-2025-13618 with a CVSS score of 9.8, stems from inadequate role restriction within the mentoring_process_registration() function.
This misconfiguration permits unauthenticated attackers to register new user accounts directly with administrator-level privileges. The implications are severe: a threat actor can bypass authentication, create an admin account, and subsequently gain full control over the affected WordPress site. This isn’t a complex exploit; it’s a fundamental bypass of access controls that opens the door to complete compromise.
Defenders must recognize this as an immediate threat. Given the prevalence of WordPress and its plugins, this vulnerability presents a wide attack surface for opportunistic exploitation. An attacker’s calculus is simple: find unpatched sites, register as an admin, and move to exfiltrate data, deface the site, or establish persistent backdoors.
What This Means For You
- If your organization uses the Mentoring plugin for WordPress, assess your version immediately. Patching to a secure version is paramount. If a patch is not available, disable or remove the plugin. Audit all user registrations for unauthorized administrator accounts, especially those created recently. This is a critical access control bypass; assume compromise if you are running an affected version.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2025-13618: WordPress Mentoring Plugin Admin Registration
title: CVE-2025-13618: WordPress Mentoring Plugin Admin Registration
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2025-13618 by identifying POST requests to the WordPress admin area that include the 'mentoring_process_registration' function in the query string. This function is vulnerable to privilege escalation, allowing unauthenticated users to register as administrators.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2025-13618/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/'
cs-uri-query|contains:
- 'mentoring_process_registration'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2025-13618 | Privilege Escalation | Mentoring plugin for WordPress versions <= 1.2.8 |
| CVE-2025-13618 | Privilege Escalation | Vulnerable function: mentoring_process_registration() |
| CVE-2025-13618 | Privilege Escalation | Attack vector: Unauthenticated user registration with administrator privileges |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 06:15 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7810: Python Notebook Path Traversal Exposes Servers
CVE-2026-7810 — A flaw has been found in UsamaK98 python-notebook-mcp up to a05a232815809a7e425b5fa7be26e0d4369894c2. Impacted is the function create_notebook/read_notebook/edit_cell/add_cell of the file server.py. This manipulation causes...
CVE-2026-5957 — Path Traversal
CVE-2026-5957 — The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to...
CVE-2026-5294: Critical RCE in Geeky Bot WordPress Plugin
CVE-2026-5294 — The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a...