CVE-2025-8900
BaseFortify
Publication date: 2025-11-03
Last updated on: 2025-11-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | doccure_core | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Doccure Core plugin for WordPress has a privilege escalation vulnerability in versions up to, but not including, 1.5.4. This occurs because the plugin allows users registering new accounts to set their own role by supplying the 'user_type' field. As a result, unauthenticated attackers can create accounts with administrator privileges.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to gain administrator-level access to a WordPress site using the Doccure Core plugin. This elevated privilege can lead to full control over the site, including modifying content, stealing data, installing malicious code, or disrupting site operations.
What immediate steps should I take to mitigate this vulnerability?
Update the Doccure Core plugin for WordPress to version 1.5.4 or later, as versions prior to 1.5.4 are vulnerable. Additionally, review and restrict user registration processes to prevent unauthenticated users from assigning themselves elevated roles such as administrator.