Imagine leaving the front door of your website not just unlocked, but with a sign outside that reads: "Help yourself to the keys." That's essentially what a newly disclosed vulnerability in a widely-used WordPress plugin has been doing to site owners — silently, and without any warning.
Who's at Risk — and Why It Matters
The flaw lives inside the Mentoring plugin for WordPress, a tool used by coaches, educators, and community platforms to connect mentors with mentees. WordPress powers roughly 43% of all websites on the internet — that's hundreds of millions of sites — and plugins like this one are installed across thousands of them. Every site running version 1.2.8 or earlier of the Mentoring plugin is currently exposed.
For site owners, this isn't an abstract technical risk. It means a stranger — with no account, no invite, and no credentials — can walk up to your login page, register themselves as a full administrator, and immediately gain complete control of your website. They can steal customer data, plant malware that infects your visitors, redirect your traffic to scam sites, delete years of content, or lock you out of your own property entirely.
How the Attack Actually Works
Think of your website like an office building. Normal visitors are guests — they can look around the lobby. Editors and authors get a keycard to certain floors. Administrators have the master key: they can go anywhere, change anything, hire and fire other users, and even rewire the building's security systems.
The Mentoring plugin lets new users sign up through a registration form — a perfectly normal feature. But somewhere in that sign-up process, the plugin forgot to check what kind of account it was creating. A clever attacker can simply tell the plugin, during registration, "make me an administrator." And the plugin, without question, obeys. No existing account required. No approval process. No verification. Just a simple, unauthenticated request and suddenly a complete stranger is sitting in your site's control room.
What makes this especially dangerous is that the attack requires zero skill to execute. There's no complex code to write, no sophisticated tooling to set up. Anyone who can fill out a web form and knows what to type into a field can compromise an affected site in under two minutes. That dramatically broadens the pool of potential attackers beyond seasoned hackers to include opportunistic script-kiddies, automated bots, and anyone who stumbles across a "how to exploit this" post online.
The Technical Detail That Should Alarm Your Security Team
The vulnerability is a role-manipulation flaw inside the mentoring_process_registration() function — the specific routine that handles new user sign-ups. The function fails to sanitize or restrict the role parameter passed during registration, meaning an unauthenticated HTTP request can specify administrator as the desired role and the plugin will honor it without any server-side validation. It carries a CVSS score of 9.8 out of 10 — Critical — placing it among the most severe class of vulnerabilities a web application can have. The vulnerability class is an unauthenticated privilege escalation via broken role restriction, which in plain terms means: no login needed, instant full access.
Has Anyone Been Attacked Yet?
As of publication, no active exploitation has been confirmed in the wild — meaning security researchers haven't yet caught attackers actively abusing this flaw at scale. But that window of safety is narrow and closing. Vulnerabilities rated this highly, especially those requiring zero authentication and zero technical skill, tend to be weaponized quickly once details become public. Automated scanning tools that probe millions of WordPress sites for known plugin versions are already common in attacker toolkits. The clock is ticking.
The vulnerability was disclosed through Wordfence, one of the leading WordPress security research organizations, which tracks and publishes plugin vulnerabilities as part of its threat intelligence program. No patch version has been publicly confirmed at the time of writing, which means the safest immediate action is disabling the plugin entirely until an update is available.
What You Need to Do Right Now
If you or your organization runs a WordPress site, here are three concrete steps to take today:
- Check your plugin version immediately. Log into your WordPress dashboard, navigate to Plugins → Installed Plugins, and search for "Mentoring." If you see version 1.2.8 or any earlier version, you are vulnerable right now. Don't wait.
- Deactivate or delete the plugin until a patched version is released. Go to Plugins → Installed Plugins, find the Mentoring plugin, and click Deactivate — or better yet, Delete — until an update above version 1.2.8 is confirmed safe. Keeping a vulnerable plugin active while waiting is an unacceptable risk given the CVSS 9.8 severity rating.
- Audit your administrator accounts right now. Go to Users → All Users and filter by the Administrator role. If you see any accounts you don't recognize — especially recently created ones with no activity history — delete them immediately and change all remaining admin passwords. Also review your site's audit logs if you have a logging plugin installed, looking for any suspicious registrations in recent days.
If you're a hosting provider or manage WordPress sites on behalf of clients, push this audit across your entire portfolio today. One compromised site in a shared environment can have cascading consequences for everyone around it.
CVE-2025-13618 | CVSS 9.8 Critical | Affects Mentoring plugin for WordPress ≤ 1.2.8 | No active exploitation confirmed at time of publication.