CVE-2025-11533

CRITICAL EXPLOITED

WP Freeio <1.2.21 - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2025-11533 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

References (2)

Core 2

Core References

Various Sources

https://themeforest.net/item/freeio-freelance-marketplace-wordpress-theme/42045416

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/0db85f84-04e9-42eb-a16b-96554fbfd186?source=cve

Scores

CVSS v3 9.8

EPSS 0.0056

EPSS Percentile 42.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2025-10-11

CWE

CWE-269

Status published

Products (1)

ApusTheme/WP Freeio < 1.2.21

Published Oct 11, 2025

Tracked Since Feb 18, 2026