Wordfence Warns of Active Exploits Targeting Critical Privilege Escalation Flaw in WP Freeio (CVE-2025-11533)

The Wordfence Threat Intelligence team has issued an urgent warning about CVE-2025-11533, a critical privilege escalation vulnerability (CVSS 9.8) in the WP Freeio plugin, a component of the premium Freeio freelance marketplace theme sold on ThemeForest. The flaw allows unauthenticated attackers to create administrator accounts simply by manipulating the user-role field during registration.

According to Wordfence, “This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by specifying user role during registration.”

The vulnerability affects versions prior to 1.2.22, and attackers began exploiting it within hours of disclosure. “Our records indicate that attackers started exploiting the issue on the same day, on October 10th, 2025,” the report notes. “The Wordfence Firewall has already blocked over 33,200 exploit attempts targeting this vulnerability.”

The vulnerability resides in the plugin’s process_register() function inside the WP_Freeio_User class, which handles user registration. Wordfence’s analysis revealed that the function fails to properly restrict the role parameter, allowing attackers to define any role — including administrator.

A snippet of the vulnerable code shows:

if ( isset($_POST['role']) ) {
    $userdata['role'] = $_POST['role'];
}
$user_id = wp_insert_user( $userdata );

Wordfence explains that “this function was implemented insecurely, allowing unauthenticated attackers to specify their role without any restrictions, which means they could grant themselves the administrator role.”

Once elevated to administrator, attackers gain full control of the affected website. “This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors,” Wordfence warns. Attackers can also “modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.”

Wordfence’s data confirms that exploitation began immediately following disclosure.

“Attackers started targeting websites the same day the vulnerability was disclosed, on October 10th. We also detected and blocked a large number of exploit attempts from October 21st to 23rd, indicating that attackers may have been getting familiar with the vulnerability prior to launching a mass campaign.”

A typical exploit request observed in the wild looks like this:

POST /?wpfi-ajax=wp_freeio_ajax_register&action=wp_freeio_ajax_register HTTP/1.1
Content-Type: application/x-www-form-urlencoded

role=administrator&email=[attacker]@gmail.com&password=[redacted]&confirmpassword=[redacted]

This single request effectively creates a new administrative user on the target site.

Wordfence has identified several IPs repeatedly involved in exploitation campaigns against vulnerable sites: