Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Buyent Classified plugin for WordPress allows attackers to create administrator accounts
CVE-2025-13851
Summary
The Buyent Classified plugin for WordPress, included with the Buyent theme, has a security flaw that lets hackers create administrator accounts without a password. This means an attacker can take control of your entire WordPress site. To fix this, update or uninstall the plugin and theme immediately.
Original title
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the pl...
Original description
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
nvd CVSS3.1
9.8
Vulnerability type
CWE-269
Improper Privilege Management
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026