Wordpress Privilege Escalation (CVE-2025-8572)

Patch now - CVE-2025-8572 is a critical privilege escalation in Truelysell Core for WordPress that lets an unauthenticated attacker register a new account with full administrator privileges, gaining complete control of the site. Update to version 1.8.8 or higher immediately to block exploitation.

Overview

A critical security vulnerability has been identified in the Truelysell Core plugin for WordPress. This flaw allows an unauthenticated attacker to register a new user account with full administrator privileges on an affected website, granting them complete control.

Vulnerability Explanation

In simple terms, the plugin fails to properly check what type of user account is being created during the registration process. Normally, a user can only sign up for a low-privilege role, like a “subscriber.” Due to insufficient validation, an attacker can send a specially crafted request that specifies a high-privilege role, such as “administrator.” The plugin accepts this request without authorization, creating an account with full system control.

Potential Impact

The impact of this vulnerability is severe. An attacker who successfully exploits it gains the same level of access as the website’s owner. They can:

• Deface the website or inject malicious content.
• Steal sensitive user data.
• Install backdoors or other malware.
• Delete or alter critical website files and databases.
• Use the compromised site to launch further attacks.

This constitutes a complete compromise of the website’s security and integrity.

Remediation and Mitigation Steps

Immediate action is required for any site using the Truelysell Core plugin.

1. Primary Remediation: Update Immediately The most effective action is to update the Truelysell Core plugin to version 1.8.8 or higher. The developers have released a patch that properly validates user roles during registration. Update the plugin through your WordPress admin dashboard without delay.

2. Immediate Mitigation (If Update is Not Instantly Possible) If you cannot update immediately, take these temporary steps:

• Disable User Registration: Navigate to Settings > General in your WordPress admin panel and uncheck the option “Anyone can register.” This blocks the exploit path.
• Deactivate the Plugin: If you do not require the plugin’s functionality for site operation, deactivate it completely via the Plugins menu until you can apply the update.

3. Post-Update Actions After updating, it is strongly recommended to:

• Audit User Accounts: Review your site’s user list ( Users > All Users ) for any suspicious administrator accounts created recently, especially with unfamiliar email addresses. Remove any unauthorized accounts.
• Change Passwords: As a precaution, change passwords for all existing administrator accounts.
• Monitor for Suspicious Activity: Keep an eye on your site for unexpected changes, new plugins, or unfamiliar files.

Note: Always ensure you have a verified, recent backup of your website before performing updates or significant changes.