← volver
CVE-2025-8572

Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration

CVSS 9.8 CRITICALEPSS 0.4%CWE-269
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.8EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
14 feb 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
dreamstechnologies · Truelysell Core

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124https://www.wordfence.com/threat-intel/vulnerabilities/id/b027c9f9-3144-4783-b646-ee1e02cd27ef?source=cve