A critical privilege escalation flaw in the Truelysell Core WordPress plugin allows unauthenticated attackers to register new accounts with full administrator privileges.

The vulnerability exists due to insufficient validation of the 'user_role' parameter during the user registration process. This allows an unauthenticated user to specify an elevated role, such as "administrator," during sign-up.

This flaw grants attackers total control over the WordPress environment. With administrator access, a threat actor can modify site content, access sensitive user data, install malicious plugins, or delete the entire site. The CVSS score of 9.8 reflects the complete compromise of the application's security model.

Immediate Action: Update the Truelysell Core plugin to the latest version (greater than 1.8.7) immediately to enforce proper role validation.

Proactive Monitoring: Review the WordPress user list for any unauthorized administrator accounts created recently and check registration logs for anomalous 'user_role' submissions.

Compensating Controls: Disable public user registration if it is not a core requirement for the site's business function until the patch is applied.

Public Exploit Available: false

Immediate remediation is mandatory. Gaining administrative access is the ultimate goal for most attackers, and this vulnerability provides it without requiring any existing credentials. Apply the update now to secure the platform.