CVE-2025-9114
BaseFortify
Publication date: 2025-09-08
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | doccure_theme | 1.4.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Doccure theme for WordPress (up to version 1.4.8) allows unauthenticated attackers to change user passwords arbitrarily. This happens because the plugin improperly allows user-controlled access to objects, bypassing authorization checks and enabling attackers to access system resources they should not have access to.
How can this vulnerability impact me? :
This vulnerability can have severe impacts, including unauthorized password changes by attackers who are not logged in. This can lead to attackers taking over user accounts, including administrator accounts, resulting in full control over the affected WordPress site and potentially compromising its data and functionality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Doccure theme for WordPress to a version later than 1.4.8 where the issue is fixed. Additionally, review user accounts for unauthorized password changes and consider resetting passwords for critical accounts, especially administrators. Implement monitoring for unusual password change activities and restrict access to theme files where possible.