CVE Alert: CVE-2025-11168 - mvirik - Mementor Core

CVE-2025-11168

HIGHNo exploitation known

The Mementor Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.5. This is due to plugin not properly handling the user switch back function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges by accessing an administrator account through the switch back functionality.

CVSS v3.1 (8.8)

Vendor

mvirik

Product

Mementor Core

Versions

* lte 2.2.5

CWE

CWE-269, CWE-269 Improper Privilege Management

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-11-11T03:30:33.945Z

Updated

2025-11-11T03:30:33.945Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/2460e7c4-76dc-4bc3-bc06-b52df64f5353?source=cve

http://plugins.trac.wordpress.org/browser/mementor-core/trunk/inc/functions.php#L1033

https://wordpress.org/plugins/mementor-core/

AI Summary Analysis

Risk verdict: High risk due to authenticated privilege escalation; treat as priority 1 if KEV is active or EPSS ≥ 0.5; otherwise remains high urgency.

Why this matters: An attacker with Subscriber+ access can elevate to Administrator, potentially taking full control of the WordPress site, exfiltrating data or defacing content. The impact is extensive for sites relying on Mementor Core within WordPress, and the combination of authenticated access with a privilege escalation path makes the scenario realistic in environments with multiple contributor accounts.

Most likely attack path: Requires a legitimate subscriber-level account (PR:L) with network access (AV:N, no UI interaction). The attacker exploits the switch-back function to gain admin rights (I:H, C:H, A:H). Once elevated, they can operate with administrator privileges across the site, increasing lateral movement risk within the WordPress admin surface.

Who is most exposed: WordPress installations using Mementor Core <= 2.2.5 exposed to contributors or editors who possess subscriber-equivalent access. Organisations with shared hosting or multiple external contributors are particularly vulnerable if admin controls are weak or lax.

Detection ideas:

Unusual admin-session activity initiated from non-admin accounts.
Privilege-escalation events tied to the switch-back functionality.
Admin-endpoint access originating from subscriber-level accounts.
Authentication logs showing rapid role changes for a single user.
Anomalous across-site actions after a login from a contributor account.

Mitigation and prioritisation:

Patch to latest Mementor Core release or disable the plugin until patched; verify vendor fix.
Enforce MFA for all admin and high-privilege accounts; implement strict role boundaries.
Review and tighten subscriber/editor permissions; remove unnecessary switch-back access if possible.
Validate backups and perform staged testing before deployment; maintain change-control notes.
If KEV true or EPSS ≥ 0.5: treat as priority 1; otherwise proceed as high-priority remediation.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-11168, mementor-core, mvirik, OSINT, threatintel