CVE-2025-10742 - Vulnerability Details

- Truelysell Core <= 1.8.6 - Unauthenticated Arbitrary User Password Change

Description

The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.

Published: 2025-10-16

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The plugin allows unauthenticated users to change any user's password because it gives user‑controlled access to protected objects, effectively bypassing authorization. If an attacker can reach the page that contains the truelysell_edit_staff shortcode, they can perform a password reset for any account, including administrators, thereby taking over the site. This is a high‑impact flaw that compromises confidentiality, integrity, and availability of the WordPress site via credential takeover.

Affected Systems

The vulnerability exists in the Truelysell Core WordPress plugin from dreamstechnologies for all releases up to and including version 1.8.6. Only those installations running 1.8.6 or earlier are affected.

Risk and Exploitability

The CVSS score of 9.8 marks this flaw as critical, while the EPSS score of less than 1% indicates that exploitation is currently not widely observed. The flaw is not listed in the CISA KEV catalog. Attackers could exploit it unauthenticated over the Web by accessing the vulnerable shortcode page, so any web‑connected site that has the plugin installed and the shortcode exposed is a potential target. Because the change can be performed by anyone who can reach the page and the password can be set to any value, the risk of credential compromise and full administrative takeover is very high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dreamstechnologies

Truelysell Core

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.8.6

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Truelysell Core plugin to the latest available version, which removes the unauthenticated password change flaw.
If an upgrade cannot be performed immediately, remove or restrict the truelysell_edit_staff shortcode so that only authenticated administrators can access the page that triggers the password change.
Review WordPress authentication logs for unexpected password‑reset actions and monitor for potential account takeovers.

Generated by OpenCVE AI on April 21, 2026 at 02:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00299.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124
https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve

History

Mon, 20 Oct 2025 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Thu, 16 Oct 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 16 Oct 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.
Title		Truelysell Core <= 1.8.6 - Unauthenticated Arbitrary User Password Change
Weaknesses		CWE-639
References		https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124 https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-16T06:47:29.826Z

Updated: 2026-04-08T17:13:26.336Z

Reserved: 2025-09-19T18:39:16.715Z

Link: CVE-2025-10742

Vulnrichment

Updated: 2025-10-16T13:32:21.667Z

NVD

Status : Deferred

Published: 2025-10-16T07:15:32.517

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10742

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object