Plataforma
wordpress
Componente
truelysell-core
Corrigido em
1.8.8
CVE-2025-8572 is a critical privilege escalation vulnerability affecting the Truelysell Core plugin for WordPress. Attackers can exploit this flaw to bypass authentication and gain unauthorized administrator privileges. This vulnerability impacts versions 0 through 1.8.7 of the plugin and has been resolved in version 1.8.8.
Successful exploitation of CVE-2025-8572 allows an unauthenticated attacker to register a new user account and assign themselves an elevated role, including administrator. This grants complete control over the WordPress site, enabling the attacker to modify content, install malicious plugins, steal sensitive data (user credentials, customer information, financial data), and potentially compromise the entire server. The impact is particularly severe for WordPress sites hosting e-commerce functionality or containing sensitive user data, as the attacker can directly manipulate the database and system configurations.
CVE-2025-8572 was published on 2026-02-14. Severity is currently assessed as CRITICAL (CVSS 9.8). Public proof-of-concept exploits are not yet widely available, but the ease of exploitation suggests a high likelihood of future exploitation attempts. Monitor security advisories and threat intelligence feeds for any indications of active campaigns targeting this vulnerability.
Status do Exploit
EPSS
0.03% (percentil 10%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-8572 is to immediately upgrade the Truelysell Core plugin to version 1.8.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling user registration on the WordPress site to prevent new account creation. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious user registration attempts can provide an additional layer of defense. Review WordPress user accounts for any unexpected administrator accounts.
Atualize para a versão 1.8.8, ou uma versão corrigida mais recente
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-8572 is a critical vulnerability in the Truelysell Core WordPress plugin allowing unauthenticated attackers to gain administrator access due to insufficient user role validation during registration.
Yes, if you are using Truelysell Core plugin versions 0 through 1.8.7, you are vulnerable to this privilege escalation attack.
Upgrade the Truelysell Core plugin to version 1.8.8 or later to resolve this vulnerability. If immediate upgrade is not possible, disable user registration temporarily.
While no widespread exploitation has been publicly reported, the ease of exploitation suggests a high probability of future attacks. Continuous monitoring is recommended.
Refer to the Truelysell Core plugin website or WordPress plugin repository for the official security advisory and update information.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.