Cyber Resilience

CVE-2025-8572

Critical

Published: 14 February 2026

Published
14 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0044 35.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-8572 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-8572 is a privilege escalation vulnerability in the Truelysell Core plugin for WordPress, affecting versions less than or equal to 1.8.7. The issue arises from insufficient validation of the user_role parameter during user registration, mapped to CWE-269: Improper Privilege Management. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating the user_role parameter during registration, they can create accounts with elevated privileges, including administrator access, potentially granting full control over the affected WordPress site.

Advisories and further details are provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b027c9f9-3144-4783-b646-ee1e02cd27ef?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124. The CVE was published on 2026-02-14T09:16:11.490.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to…

more

create accounts with elevated privileges, including administrator access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Direct privilege escalation via unauthenticated manipulation of user_role during registration, enabling creation of local admin accounts on the WordPress site.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5118Shared CWE-269
CVE-2026-9018Shared CWE-269
CVE-2026-8809Shared CWE-269
CVE-2026-0920Shared CWE-269
CVE-2025-13559Shared CWE-269
CVE-2024-11951Shared CWE-269
CVE-2026-7467Shared CWE-269
CVE-2025-5954Shared CWE-269
CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the insufficient validation of the user_role parameter during user registration, preventing unauthenticated attackers from assigning elevated privileges.

prevent

Ensures proper management of account creation and privilege assignment processes, blocking unauthorized administrator account registration.

prevent

Enforces least privilege to restrict elevated access even if improper accounts are created, countering the privilege escalation impact.

References