Description
The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_type' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
Published: 2025-11-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the user registration process of the Doccure Core plugin for WordPress. The plugin accepts a 'user_type' parameter that allows a new account creator to specify the role of the newly registered user. Because this input is not authenticated or validated, an attacker can submit a registration request that assigns the administrator role, thereby creating an account with full site privileges. This results in unauthenticated privilege escalation and gives the attacker complete control over the WordPress installation.

Affected Systems

The flaw affects Dream Technologies’ Doccure Core plugin for WordPress on all installations running any version earlier than 1.5.4. The affected code resides in the plugin’s registration handler, which is active on every site that enables user sign‑ups through Doccure Core.

Risk and Exploitability

The vulnerability scores a CVSS of 9.8, indicating a critical threat. EPSS is reported as less than 1%, so widespread exploitation has not yet been observed, and it does not appear in the CISA KEV list. Based on the description, it is inferred that the registration endpoint is publicly accessible and accepts the user_type parameter from unauthenticated requests, allowing an attacker to send a crafted POST request. Attackers need only to include a 'user_type' of administrator; no prior compromise or authentication is required.

Generated by OpenCVE AI on April 22, 2026 at 00:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Doccure Core release (1.5.4 or newer) to remove the vulnerable registration path.
  • Disable or restrict user registration through the plugin, ensuring only authorized administrators can create accounts.
  • Configure WordPress to ignore or strip the 'user_type' parameter during registration to prevent privilege assignment by unauthenticated users.

Generated by OpenCVE AI on April 22, 2026 at 00:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 03 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 14:45:00 +0000

Type Values Removed Values Added
Description The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_type' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
Title Doccure Core < 1.5.4 - Unauthenticated Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:36.844Z

Reserved: 2025-08-12T18:18:27.477Z

Link: CVE-2025-8900

cve-icon Vulnrichment

Updated: 2025-11-03T14:42:11.103Z

cve-icon NVD

Status : Deferred

Published: 2025-11-03T15:15:38.177

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses