CVE-2025-8572
Published: 14 February 2026
Summary
CVE-2025-8572 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-8572 is a privilege escalation vulnerability in the Truelysell Core plugin for WordPress, affecting versions less than or equal to 1.8.7. The issue arises from insufficient validation of the user_role parameter during user registration, mapped to CWE-269: Improper Privilege Management. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the user_role parameter during registration, they can create accounts with elevated privileges, including administrator access, potentially granting full control over the affected WordPress site.
Advisories and further details are provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b027c9f9-3144-4783-b646-ee1e02cd27ef?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124. The CVE was published on 2026-02-14T09:16:11.490.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206968
Vulnerability details
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to…
more
create accounts with elevated privileges, including administrator access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via unauthenticated manipulation of user_role during registration, enabling creation of local admin accounts on the WordPress site.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the insufficient validation of the user_role parameter during user registration, preventing unauthenticated attackers from assigning elevated privileges.
Ensures proper management of account creation and privilege assignment processes, blocking unauthorized administrator account registration.
Enforces least privilege to restrict elevated access even if improper accounts are created, countering the privilege escalation impact.