Attack Vectors
Truelysell Core (WordPress plugin slug: truelysell-core) has a Critical vulnerability (CVSS 9.8) that can be exploited without authentication. In practical terms, an attacker can target the site’s public-facing registration flow and attempt to create a new user account while manipulating the user_role value.
Because no login is required, this type of issue is attractive for opportunistic attackers and can be scanned and exploited at scale across many websites running Truelysell Core versions 1.8.7 and below.
Security Weakness
CVE-2025-8572 is an unauthenticated privilege escalation via registration affecting Truelysell Core <= 1.8.7. The core weakness is insufficient validation of the user_role parameter during user registration, allowing role assignment that should never be possible through a public sign-up.
This is categorized as Critical because it can directly lead to creation of elevated accounts, including administrator access, without any prior foothold. Reference: CVE-2025-8572.
Technical or Business Impacts
If exploited, attackers may be able to create an administrator-level account and take control of the WordPress site. That can enable content changes, insertion of malicious redirects, publishing fraudulent pages, or other unauthorized site modifications that directly affect brand trust and customer experience.
From a business-risk perspective, the impact can include reputational damage (defacement, spam, or malicious popups), loss of lead quality (traffic redirected to malicious destinations), and operational disruption (site lockouts or recovery time). Depending on what data your WordPress environment can access, there may also be heightened compliance and reporting concerns.
Recommended action: Update Truelysell Core to version 1.8.8 or a newer patched release. Confirm the plugin version across all environments (production, staging, and any regional sites) to reduce exposure.
Similar Attacks
Privilege escalation and account-creation abuse have been common in real-world incidents affecting WordPress sites. Examples include:
CVE-2020-25213 (File Manager plugin) — flaws that enabled high-impact compromise scenarios
CVE-2021-29447 (WordPress core/media) — widely discussed WordPress exploitation risk
CVE-2023-27372 (WordPress plugin ecosystem) — plugin vulnerabilities leading to site takeover patterns
For this specific issue, see Wordfence’s advisory source for Truelysell Core: Wordfence Vulnerability Intelligence entry.
Recent Comments