CVE-2025-8900
📋 TL;DR
The Doccure Core WordPress plugin allows unauthenticated attackers to create accounts with administrator privileges by manipulating the user_type field during registration. This privilege escalation vulnerability affects all WordPress sites using Doccure Core plugin versions before 1.5.4. Attackers can gain full control of vulnerable WordPress installations.
💻 Affected Systems
- Doccure Core WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of WordPress site allowing attackers to install backdoors, steal data, deface website, or use site for further attacks.
Likely Case
Attackers create admin accounts, gain full control of WordPress dashboard, and potentially compromise the entire web server.
If Mitigated
Limited impact if registration is disabled or proper web application firewall rules block suspicious registration attempts.
🎯 Exploit Status
Simple HTTP POST request manipulation. No authentication required. Exploitation tools likely exist in underground forums.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.4
Vendor Advisory: https://themeforest.net/item/doccure-medical-wordpress-theme/34329202
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Doccure Core plugin. 4. Update to version 1.5.4 or later. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Disable User Registration
allTemporarily disable new user registration in WordPress settings
Web Application Firewall Rule
allBlock POST requests containing suspicious user_type parameters
🧯 If You Can't Patch
- Disable the Doccure Core plugin completely
- Implement rate limiting on registration endpoints and monitor for suspicious registration attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Doccure Core version. If version is below 1.5.4, you are vulnerable.Check Version:
wp plugin list --name=doccure-core --field=versionVerify Fix Applied:
Confirm Doccure Core plugin version is 1.5.4 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Multiple user registration attempts with admin-like roles
- New administrator accounts created from unusual IP addresses
Network Indicators:
- HTTP POST requests to registration endpoints with user_type parameter set to administrator or similar values
SIEM Query:
source="wordpress.log" AND "user_registered" AND ("role=administrator" OR "user_type=administrator")