CVE-2025-10742 | The Truelysell Core plugin for WordPress is vulnerable to Ar… | CVSS 9.8 CRITICAL

Description

The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.

Metadata

CVE ID: CVE-2025-10742
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-09-19 18:39 UTC
Published: 2025-10-16 06:47 UTC
Last updated: 2026-04-08 17:13 UTC
Primary CWE: CWE-639
CWE-639 Authorization Bypass Through User-Controlled Key
Vendor / Product: dreamstechnologies / Truelysell Core
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
dreamstechnologies	Truelysell Core	—	0 ≤ 1.8.6

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639 Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)