CVE-2025-8900

CVE-2025-8900 is a privilege escalation vulnerability affecting the Doccure Core plugin for WordPress in versions up to, and excluding, 1.5.4. The flaw stems from the plugin permitting users registering new accounts to arbitrarily set their own role by supplying a 'user_type' field, enabling unauthenticated attackers to create accounts with elevated privileges such as administrator. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management). The vulnerability was published on 2025-11-03.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By submitting a registration request with a manipulated 'user_type' field specifying an administrator role, attackers gain full administrative access to the affected WordPress site, potentially allowing complete compromise including data exfiltration, modification, or deletion, as indicated by the high confidentiality, integrity, and availability impacts in the CVSS vector.

Mitigation involves updating the Doccure Core plugin to version 1.5.4 or later, which addresses the registration role manipulation issue. Security practitioners should consult advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/49e133c9-5d3b-4a2a-8385-e2db44baa217?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/doccure-medical-wordpress-theme/34329202 for additional details on patches and scanning tools.