A critical vulnerability has been identified in the Truelysell Core plugin for WordPress, which allows an attacker to change the password of any user on an affected website, including administrators. Successful exploitation could lead to a complete compromise of the website, resulting in data theft, service disruption, and significant reputational damage. Immediate patching is required to mitigate this high-risk vulnerability.

The vulnerability exists due to an insecure direct object reference (IDOR) flaw within the plugin's password change functionality. The plugin fails to properly validate that the user initiating a password change request is authorized to modify the target account. An attacker can exploit this by sending a crafted request to the server, specifying the username or ID of a victim, and providing a new password, allowing them to take over any account without prior authentication or authorization.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation allows an attacker to gain unauthorized administrative control over the affected WordPress site. This could lead to severe business consequences, including the theft of sensitive customer data and personally identifiable information (PII), website defacement, injection of malware to attack site visitors, and complete service disruption. The potential for reputational damage and financial loss is substantial.

Immediate Action: Immediately update The Truelysell Core plugin for WordPress to the latest patched version (greater than 1.8.6). After updating, it is critical to review all user accounts, especially those with administrative privileges, for any unauthorized changes or suspicious activity. Review access logs for any anomalous password change requests.

Proactive Monitoring: Implement continuous monitoring of web server and application logs for indicators of compromise. Specifically, look for unusual or multiple password change requests originating from a single IP address, unexpected changes to administrative accounts, and direct web requests targeting the plugin's password management functions. A Web Application Firewall (WAF) can be configured to alert on or block such suspicious patterns.

Compensating Controls: If immediate patching is not feasible, consider disabling the Truelysell Core plugin until the update can be applied. Alternatively, implement a Web Application Firewall (WAF) rule to specifically block requests to the vulnerable password change endpoint. Enforcing mandatory Multi-Factor Authentication (MFA) for all users, especially administrators, can also serve as a critical compensating control, as it would prevent an attacker from logging in even with a changed password.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate action is required. Organizations using the affected versions of the Truelysell Core plugin must prioritize applying the security update immediately. Although this vulnerability is not currently listed on the CISA KEV catalog, its high impact and potential for full system compromise make it an attractive target for attackers. A patch-first approach is the most effective strategy to prevent a potential compromise.