Introduction
Attackers can gain full administrative access to WordPress sites running WP Freeio versions up to 1.2.21 without any credentials. This vulnerability allows unauthenticated users to create administrator accounts, enabling complete site takeover and persistent compromise if not addressed.
WP Freeio is a plugin developed by ApusThemes, distributed primarily via ThemeForest, and is a core component for freelance marketplace sites built on WordPress. It is widely used by site operators seeking to launch Upwork-style platforms with minimal custom development. The plugin handles user registration, job posting, and role management, making its security critical to the integrity of any site where it is deployed.
Technical Information
CVE-2025-11533 is a privilege escalation vulnerability rooted in the process_register() function of WP Freeio, affecting all versions up to and including 1.2.21. The flaw arises because the registration logic does not restrict which WordPress user roles can be assigned during the registration process.
An attacker can submit a registration request (via the public registration form or direct HTTP POST) and specify the administrator role as part of the registration data. Since the process_register() function fails to validate or limit the roles that can be assigned, the plugin will create a new user account with administrator privileges. This is a classic example of improper privilege management (CWE-269).
No authentication or prior access is required. The attacker only needs to access the registration endpoint, which is typically public on sites using WP Freeio. This enables remote exploitation and allows attackers to automate attacks across multiple sites. Once an administrator account is created, the attacker can install plugins, modify site content, access sensitive data, and establish persistence.
Affected Systems and Versions
- Product: WP Freeio plugin for WordPress
- Affected versions: All versions up to and including 1.2.21
- Vulnerable configuration: Any WordPress site with WP Freeio <= 1.2.21 and user registration enabled
- Patched in: Version 1.2.22
Vendor Security History
WP Freeio is developed by ApusThemes, a vendor with a portfolio of commercial WordPress marketplace and directory themes. There is no public record of identical privilege escalation vulnerabilities in previous versions of WP Freeio. The vendor responded promptly to this CVE with a patch in version 1.2.22. However, the presence of such a fundamental privilege management flaw highlights the need for improved security review and development practices. Similar vulnerabilities have been observed in other WordPress plugins, indicating a broader ecosystem challenge.
