A critical vulnerability has been identified in the FindAll Listing plugin for WordPress, which allows an unauthenticated attacker to create an administrator account on an affected website. Successful exploitation, which requires the FindAll Membership plugin to also be active, results in a complete compromise of the site, granting the attacker full control over its content, users, and data. Due to the ease of exploitation and the high potential for damage, this vulnerability poses a severe risk.

The vulnerability exists within the findall_listing_user_registration_additional_params function, which is responsible for processing user registration data. The function fails to properly sanitize or restrict the user roles that can be assigned during account creation. An unauthenticated attacker can exploit this by submitting a standard user registration request and manipulating the parameters to include role=administrator. Because the vulnerable function does not validate this input, the system creates a new user with full administrative privileges. This attack is only possible if the FindAll Membership plugin is also installed and activated, as it provides the user registration functionality that the vulnerable function hooks into.

This vulnerability is rated as critical severity with a CVSS score of 9.8. An attacker who successfully exploits this flaw gains complete administrative control over the affected WordPress site. This can lead to severe business consequences, including theft of sensitive customer or corporate data, website defacement, distribution of malware to visitors, and complete service disruption. The resulting reputational damage and potential financial losses from data breaches or cleanup costs are significant. Given that the attack can be launched by any unauthenticated user, the risk to public-facing websites using the affected plugins is extremely high.

Immediate Action: Immediately update the FindAll Listing plugin for WordPress to the latest patched version (greater than 1.0.5). After updating, conduct a thorough review of all user accounts, especially those with administrator privileges, to identify and remove any unauthorized accounts that may have been created. Review server access logs for suspicious registration attempts.

Proactive Monitoring: Monitor web server and application logs for an increase in POST requests to user registration endpoints. Specifically, look for requests containing parameters such as role=administrator or other privileged roles. Implement alerts for the creation of new administrative accounts to enable rapid detection of potential compromises.

Compensating Controls: If patching is not immediately possible, consider the following temporary measures:

• Disable user registration functionality through the FindAll Membership plugin entirely.
• Implement a Web Application Firewall (WAF) rule to inspect and block registration requests that contain a role parameter specifying a privileged role (e.g., 'administrator', 'editor').
• Restrict access to the registration page to trusted IP addresses if feasible for the business use case.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the low complexity required for exploitation, this vulnerability requires immediate attention. We strongly recommend that all organizations using the affected plugins apply the security update provided by the vendor without delay. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. A post-patch audit of all administrator-level accounts is crucial to ensure the site was not compromised prior to remediation.