プラットフォーム
wordpress
コンポーネント
truelysell-core
修正版
1.8.8
CVE-2025-8572 is a critical privilege escalation vulnerability affecting the Truelysell Core plugin for WordPress. Attackers can exploit this flaw to bypass authentication and gain unauthorized administrator privileges. This vulnerability impacts versions 0 through 1.8.7 of the plugin and has been resolved in version 1.8.8.
Successful exploitation of CVE-2025-8572 allows an unauthenticated attacker to register a new user account and assign themselves an elevated role, including administrator. This grants complete control over the WordPress site, enabling the attacker to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially compromise the entire server. The impact is particularly severe for WordPress sites hosting e-commerce functionality or containing sensitive user data, as the attacker can directly manipulate the database and system configurations.
CVE-2025-8572 was published on 2026-02-14. Severity is currently assessed as CRITICAL (CVSS 9.8). Public proof-of-concept exploits are not yet widely available, but the ease of exploitation suggests a high likelihood of future exploitation attempts. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.
エクスプロイト状況
EPSS
0.03% (10% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-8572 is to immediately upgrade the Truelysell Core plugin to version 1.8.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration on the WordPress site to prevent new account creation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious user registration attempts can provide an additional layer of defense. Review WordPress user accounts for any unexpected administrator accounts.
バージョン1.8.8、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-8572 is a critical vulnerability in the Truelysell Core WordPress plugin allowing unauthenticated attackers to gain administrator access due to insufficient user role validation during registration.
Yes, if you are using Truelysell Core plugin versions 0 through 1.8.7, you are vulnerable to this privilege escalation attack.
Upgrade the Truelysell Core plugin to version 1.8.8 or later to resolve this vulnerability. If immediate upgrade is not possible, disable user registration temporarily.
While no widespread exploitation has been publicly reported, the ease of exploitation suggests a high probability of future attacks. Continuous monitoring is recommended.
Refer to the Truelysell Core plugin website or WordPress plugin repository for the official security advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。