CVE-2025-8572

Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration

CVSS 9.8 CRITICALEPSS 0.4%CWE-269

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

14 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

dreamstechnologies · Truelysell Core

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124 https://www.wordfence.com/threat-intel/vulnerabilities/id/b027c9f9-3144-4783-b646-ee1e02cd27ef?source=cve