Truelysell Core plugin allows unauthenticated attackers to gain admin access on WordPress sites

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

Truelysell Core plugin allows unauthenticated attackers to gain admin access on WordPress sites

CVE-2025-8572

Summary

The Truelysell Core plugin for WordPress has a security issue that can allow attackers to create admin accounts without logging in. This is a concern for any site using the plugin, as it could give an attacker full control over the site. To fix this, update the Truelysell Core plugin to version 1.8.8 or later.

Original title

Original description

The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.

nvd CVSS3.1 9.8

Vulnerability type

CWE-269 Improper Privilege Management

Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026