A critical vulnerability has been identified in the Doccure theme for WordPress, assigned CVE-2025-9114 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to change the password of any user on an affected website, including administrators. Successful exploitation could lead to a complete compromise of the website, resulting in data theft, website defacement, or malware distribution.

The vulnerability is an Insecure Direct Object Reference (IDOR) flaw within the password change functionality. The theme fails to properly validate that the user initiating a password change request is the same user whose password is being modified. An attacker can exploit this by intercepting a password change request and manipulating the user identifier parameter to target any other user account on the system, without needing to know the victim's current password.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can lead to a complete account takeover of any user, including high-privileged administrator accounts. A successful attack would grant the threat actor full control over the affected WordPress site, posing significant risks such as the theft of sensitive customer or business data, unauthorized content modification, reputational damage, and the use of the compromised website to host malicious content or launch further attacks.

Immediate Action: Immediately update the Doccure theme for WordPress to the latest patched version (greater than 1.4.8) as recommended by the vendor. After patching, it is crucial to review all user accounts, particularly administrator accounts, for any unauthorized password changes or suspicious activity.

Proactive Monitoring: Monitor web server and application logs for unusual patterns related to password reset functions. Specifically, look for multiple failed or successful password change requests from a single IP address targeting different user accounts. Review access logs for any successful logins from unfamiliar IP addresses immediately following a password change event.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with custom rules to inspect and block malicious password change requests that target user IDs other than the currently authenticated user. Enforce Multi-Factor Authentication (MFA) for all users, especially administrators, as this can prevent an attacker from logging in even if they successfully change a password.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability requires immediate attention. We strongly recommend that all organizations using the Doccure theme for WordPress apply the security update without delay. Although this CVE is not currently listed on the CISA KEV catalog, its potential for full system compromise makes it a high-priority target for threat actors. A post-patch audit of all user accounts should be conducted to ensure no compromise has already occurred.