Description
The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user.
Published: 2026-06-10
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Doctreat Core plugin for WordPress contains a flaw in the doctreat_process_registration() function that fails to enforce role restrictions. This flaw lets anyone visit the registration endpoint and create an account with the administrator role without providing credentials. The result is that an unauthenticated attacker can gain full administrative control of the WordPress site, including installing plugins, changing settings, and accessing sensitive data.

Affected Systems

The vulnerability affects the AmentoTech Doctreat Core plugin, versions 1.6.8 and earlier. Any WordPress installation that includes this plugin and has user registration enabled is susceptible.

Risk and Exploitability

The CVSS score of 9.8 indicates Critical severity, and while the EPSS score is not reported, the high impact and lack of authentication requirement suggest a realistic exploitation window. The vulnerability is not in the CISA KEV catalog, but given its broad impact, it warrants immediate attention. Attackers can exploit the flaw by sending a standard registration request to the plugin’s endpoint; no special preconditions are required beyond access to the site’s public registration page.

Generated by OpenCVE AI on June 10, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Doctreat Core to the latest release that removes the role‑regression in registration.
  • Temporarily disable public user registration or enforce a whitelist of allowed roles until the plugin is upgraded.
  • Enable monitoring of account creation events and audit logs to detect unauthorized administrator accounts.

Generated by OpenCVE AI on June 10, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Amentotech
Amentotech doctreat Core
Wordpress
Wordpress wordpress
Vendors & Products Amentotech
Amentotech doctreat Core
Wordpress
Wordpress wordpress

Wed, 10 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user.
Title Doctreat Core <= 1.6.8 - Unauthenticated Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Amentotech Doctreat Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-10T08:28:20.052Z

Reserved: 2025-06-18T19:57:18.427Z

Link: CVE-2025-6254

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T10:16:29.827

Modified: 2026-06-10T10:16:29.827

Link: CVE-2025-6254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T11:21:10Z

Weaknesses