cbcvebase.
CVE-2025-11533
published 2025-10-11

CVE-2025-11533: The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register()…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.56%
42.6th percentile
The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Affected

1 ranges
VendorProductVersion rangeFixed in
apusthemewp_freeio<= 1.2.21

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function is process_register() in the WP Freeio plugin — monitor for unauthenticated POST requests to WordPress registration endpoints that include an 'administrator' role parameter, which should never be user-supplied.
  • Wordfence detected active in-the-wild exploitation of CVE-2025-11533 against the WP Freeio premium WordPress theme — review WAF/IDS logs for blocked exploit attempts targeting registration flows on sites running this theme.
  • ·All versions of WP Freeio up to and including 1.2.21 are vulnerable; exploitation requires no authentication and no special preconditions — any unauthenticated user can register with the 'administrator' role.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.