A critical privilege escalation vulnerability, identified as CVE-2025-8900, has been discovered in the Doccure Core plugin for WordPress. This flaw allows an unauthenticated attacker to create a new user account with full administrative privileges during the standard registration process. Successful exploitation results in a complete compromise of the affected website, enabling the attacker to steal data, deface the site, or install malware.

The vulnerability exists within the user registration functionality of the Doccure Core plugin. The registration process fails to properly validate or restrict the user role that can be assigned to a new account. An unauthenticated attacker can exploit this by intercepting the registration request and injecting a parameter to specify a high-privilege role, such as 'administrator'. The plugin processes this malicious request without proper authorization checks, creating a new user with the requested administrative privileges, thereby granting the attacker full control over the WordPress instance.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit leads to a full system compromise, presenting a severe risk to the organization. An attacker with administrative access can deface the website, steal sensitive user data (including PII and customer information), install malicious backdoors, delete content and backups, or leverage the compromised server to launch further attacks. The potential consequences include significant reputational damage, financial loss from business disruption, costs associated with incident response, and potential regulatory fines for data breaches.

Immediate Action: Immediately update the Doccure Core plugin for WordPress to the patched version 1.5.4 or later. After updating, conduct a thorough audit of all user accounts, especially those with administrative privileges, to identify and remove any unauthorized accounts created by attackers.

Proactive Monitoring: Monitor web server access logs and security logs for an unusual number of new user registration attempts, particularly from single IP addresses. Specifically, search for POST requests to the registration endpoint containing parameters such as role=administrator or similar attempts to set user capabilities. Implement alerts for the creation of any new administrative-level accounts.

Compensating Controls: If patching cannot be performed immediately, consider the following mitigating actions:

• Disable user registration functionality through the plugin entirely if it is not a critical feature for your website.
• Deploy a Web Application Firewall (WAF) with a rule to inspect and block registration requests that contain parameters attempting to set a user role.
• Restrict access to the registration page to only trusted IP addresses.

Public Exploit Available: true

This vulnerability poses a direct and critical threat to the organization and requires immediate remediation. It is strongly recommended that all teams responsible for WordPress websites identify instances running the Doccure Core plugin and upgrade to version 1.5.4 or a later version immediately. Due to the high probability of active exploitation, organizations should assume their vulnerable systems are being targeted. After patching, a full audit of user accounts and site integrity is essential to ensure a compromise has not already occurred.