CVE-2025-8572
📋 TL;DR
The Truelysell Core WordPress plugin allows unauthenticated attackers to create administrator accounts due to insufficient validation of the user_role parameter during registration. This affects all WordPress sites using Truelysell Core plugin versions 1.8.7 and earlier. Attackers can gain full control of vulnerable WordPress installations.
💻 Affected Systems
- Truelysell Core WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover with attacker gaining administrator access, installing backdoors, defacing content, stealing data, and using the compromised site for further attacks.
Likely Case
Attackers create administrator accounts to gain persistent access, install malicious plugins/themes, modify content, and potentially compromise the entire WordPress installation.
If Mitigated
With proper monitoring and immediate response, unauthorized admin accounts can be detected and removed before significant damage occurs.
🎯 Exploit Status
The vulnerability requires no authentication and minimal technical skill to exploit, making it highly attractive to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.8.8 or later
Vendor Advisory: https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Truelysell Core plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 1.8.8+ from ThemeForest and replace plugin files.
🔧 Temporary Workarounds
Disable User Registration
allTemporarily disable WordPress user registration to prevent exploitation while patching.
wp option update users_can_register 0
Deactivate Plugin
allTemporarily deactivate the Truelysell Core plugin until patched.
wp plugin deactivate truelysell-core
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block requests containing user_role parameter manipulation
- Enable detailed logging of user registration events and monitor for suspicious admin account creation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Truelysell Core version number. If version is 1.8.7 or lower, you are vulnerable.Check Version:
wp plugin get truelysell-core --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.8.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual user registration events
- New administrator account creation from unfamiliar IPs
- POST requests to registration endpoints with user_role parameter
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php or registration endpoints with user_role parameter set to administrator roles
SIEM Query:
source="wordpress.log" AND ("user_registered" OR "new_user") AND ("administrator" OR "admin" OR "role")