CVE-2025-8900
Published: 03 November 2025
Summary
CVE-2025-8900 is a critical-severity Improper Privilege Management (CWE-269) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces the least privilege principle to prevent newly registered accounts from being assigned excessive privileges like administrator via the 'user_type' field.
Manages user account creation and privilege assignment processes to ensure only authorized roles are granted during registration, blocking unauthenticated privilege escalation.
Validates inputs such as the 'user_type' field in registration requests to reject unauthorized role specifications and prevent arbitrary privilege assignment.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated exploitation of a public-facing WordPress plugin (T1190) to achieve privilege escalation to administrator via improper role assignment during registration (T1068).
NVD Description
The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_type'…
more
field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
Deeper analysisAI
CVE-2025-8900 is a privilege escalation vulnerability affecting the Doccure Core plugin for WordPress in versions up to, and excluding, 1.5.4. The flaw stems from the plugin permitting users registering new accounts to arbitrarily set their own role by supplying a 'user_type' field, enabling unauthenticated attackers to create accounts with elevated privileges such as administrator. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management). The vulnerability was published on 2025-11-03.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting a registration request with a manipulated 'user_type' field specifying an administrator role, attackers gain full administrative access to the affected WordPress site, potentially allowing complete compromise including data exfiltration, modification, or deletion, as indicated by the high confidentiality, integrity, and availability impacts in the CVSS vector.
Mitigation involves updating the Doccure Core plugin to version 1.5.4 or later, which addresses the registration role manipulation issue. Security practitioners should consult advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/49e133c9-5d3b-4a2a-8385-e2db44baa217?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/doccure-medical-wordpress-theme/34329202 for additional details on patches and scanning tools.
Details
- CWE(s)