CVE-2025-8572 | The Truelysell Core plugin for WordPress is vulnerable to pr… | CVSS 9.8 CRITICAL

Description

The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.

Metadata

CVE ID: CVE-2025-8572
State: PUBLISHED
Assigner: Wordfence
Reserved: 2025-08-04 22:01 UTC
Published: 2026-02-14 08:26 UTC
Last updated: 2026-04-08 17:15 UTC
Primary CWE: CWE-269
CWE-269 Improper Privilege Management
Vendor / Product: dreamstechnologies / Truelysell Core
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
dreamstechnologies	Truelysell Core	—	0 ≤ 1.8.7

Weakness (CWE)

CWE	Source	Description
CWE-269	cna	CWE-269 Improper Privilege Management

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)