Description
The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin.
Published: 2025-11-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation (Unauthenticated)
Action: Patch ASAP
AI Analysis

Impact

The FindAll Listing WordPress plugin contains a flaw that allows any remote user to register a new account with elevated privileges. The vulnerability exists because the findall_listing_user_registration_additional_params function accepts a role value without validating it against the list of allowed roles. If an attacker crafts a registration request carrying the role value 'administrator', the system will create an administrator account, giving the attacker full control over the site. This flaw delivers uncontestable administrator access and is active only when the FindAll Membership plugin is enabled, since registration handling occurs in that plugin.

Affected Systems

Elated Themes' FindAll Listing plugin versions 1.0.5 and earlier are affected. The attack requires that the complementary FindAll Membership plugin be installed and activated, which is common in WordPress setups that use the FindAll business directory solution.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, reflecting its critical severity and the breadth of impact. The EPSS score of less than 1% indicates that, as of the last update, the probability of exploitation is very low, and the vulnerability is not listed in CISA's KEV catalog. However, because an unauthenticated user can directly register an administrator account, the attack vector is straightforward and requires no pre‑existing account or complex interaction. Exploitation is contingent on the Membership plugin being turned on, but the simplicity of the registration payload and the high value of the target role make the process highly viable for motivated adversaries.

Generated by OpenCVE AI on April 22, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FindAll Listing to a version newer than 1.0.5, which removes the unrestricted role parameter in the registration process.
  • Verify that the FindAll Membership plugin is also updated to a release that limits role assignments or disable the registration component if an update is not available.
  • If updating is not immediately possible, block or remove the findall_listing_user_registration_additional_params endpoint by adjusting the plugin's hooks or using a security plugin to restrict registration to approved roles.

Generated by OpenCVE AI on April 22, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Elated Themes
Elated Themes findall Listing
Wordpress
Wordpress wordpress
Vendors & Products Elated Themes
Elated Themes findall Listing
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin.
Title FindAll Listing <= 1.0.5 - Unauthenticated Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Elated Themes Findall Listing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:49.908Z

Reserved: 2025-11-22T04:52:29.052Z

Link: CVE-2025-13538

cve-icon Vulnrichment

Updated: 2025-11-28T14:42:09.888Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T05:16:12.453

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses