Wordpress Privilege Escalation (CVE-2025-13563)

Overview

A critical security vulnerability has been identified in the Lizza LMS Pro plugin for WordPress. This flaw allows any unauthenticated user, such as a website visitor, to register an account with full administrator privileges, granting them complete control over the affected WordPress site.

Vulnerability Details

In all versions up to and including 1.0.3, the plugin contains a user registration function (lizza_lms_pro_register_user_front_end) that fails to validate or restrict the user role assigned during sign-up. Normally, users should only be able to register with low-privilege roles like “subscriber.” Due to this oversight, an attacker can simply specify “administrator” as their desired role during the registration process. The plugin will then create the account with those elevated permissions, effectively handing over the keys to the website.

Impact Assessment

This is a critical privilege escalation vulnerability with a CVSS score of 9.8. The impact is severe:

• Full Site Compromise: An attacker gains the same level of access as the legitimate site owner.
• Data Theft or Destruction: They can steal sensitive user data, deface the site, inject malware, or delete content.
• Backdoor Creation: Attackers can create hidden administrator accounts or install other malicious plugins to maintain access even after the initial vulnerability is patched.
• Supply Chain Risk: A compromised site can be used to attack its visitors or as a platform for further malicious campaigns.

Remediation and Mitigation

Immediate action is required to secure affected websites.

Primary Action: Update Immediately The most effective remediation is to update the Lizza LMS Pro plugin to the latest available version (newer than 1.0.3) as soon as the developer releases a patch. Check the official WordPress plugin repository or the developer’s site for updates.

Immediate Mitigation Steps (If Update is Not Yet Available):

1. Deactivate the Plugin: If you are not using the plugin’s critical functions, deactivate it immediately via your WordPress admin panel under Plugins > Installed Plugins.
2. Delete the Plugin: If you can temporarily do without its functionality, completely delete the plugin. This is the most secure interim action.
3. Restrict User Registration: If you must keep the plugin active, immediately disable open user registration. Navigate to Settings > General in your WordPress admin and ensure “Anyone can register” is UNCHECKED.

Post-Mitigation Actions:

• Audit User Accounts: After applying the fix, review your WordPress user list for any suspicious administrator accounts created recently, especially those with unfamiliar email addresses, and remove them.
• Security Scan: Run a full security scan using a reputable WordPress security plugin to check for any injected malware or backdoors resulting from a potential compromise.

Always ensure you are running the latest versions of all plugins, themes, and WordPress core to maintain a strong security posture.