{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8900", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-12T18:18:27.477Z", "datePublished": "2025-11-03T14:26:38.140Z", "dateUpdated": "2026-04-08T16:50:36.844Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:50:36.844Z"}, "affected": [{"vendor": "dreamstechnologies", "product": "Doccure Core", "versions": [{"version": "0", "status": "affected", "lessThan": "1.5.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_type' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role."}], "title": "Doccure Core < 1.5.4 - Unauthenticated Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49e133c9-5d3b-4a2a-8385-e2db44baa217?source=cve"}, {"url": "https://themeforest.net/item/doccure-medical-wordpress-theme/34329202"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alyudin Nafiie"}], "timeline": [{"time": "2025-10-31T18:22:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T14:41:50.499564Z", "id": "CVE-2025-8900", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T14:42:18.817Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8900", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-03T14:41:50.499564Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T14:42:11.103Z"}}], "cna": {"title": "Doccure Core < 1.5.4 - Unauthenticated Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Alyudin Nafiie"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "dreamstechnologies", "product": "Doccure Core", "versions": [{"status": "affected", "version": "*", "lessThan": "1.5.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T18:22:55.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49e133c9-5d3b-4a2a-8385-e2db44baa217?source=cve"}, {"url": "https://themeforest.net/item/doccure-medical-wordpress-theme/34329202"}], "descriptions": [{"lang": "en", "value": "The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_type' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-03T14:26:38.140Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8900", "state": "PUBLISHED", "dateUpdated": "2025-11-03T14:42:18.817Z", "dateReserved": "2025-08-12T18:18:27.477Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-03T14:26:38.140Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_type' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role."}], "id": "CVE-2025-8900", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-03T15:15:38.177", "references": [{"source": "security@wordfence.com", "url": "https://themeforest.net/item/doccure-medical-wordpress-theme/34329202"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49e133c9-5d3b-4a2a-8385-e2db44baa217?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:40:35.202682+00:00", "value": {"mitigation_remediation": ["Apply the latest Doccure Core release (1.5.4 or newer) to remove the vulnerable registration path.", "Disable or restrict user registration through the plugin, ensuring only authorized administrators can create accounts.", "Configure WordPress to ignore or strip the 'user_type' parameter during registration to prevent privilege assignment by unauthenticated users."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The flaw affects Dream Technologies\u2019 Doccure Core plugin for WordPress on all installations running any version earlier than 1.5.4. The affected code resides in the plugin\u2019s registration handler, which is active on every site that enables user sign\u2011ups through Doccure Core.", "description_and_impact": "The vulnerability lies in the user registration process of the Doccure Core plugin for WordPress. The plugin accepts a 'user_type' parameter that allows a new account creator to specify the role of the newly registered user. Because this input is not authenticated or validated, an attacker can submit a registration request that assigns the administrator role, thereby creating an account with full site privileges. This results in unauthenticated privilege escalation and gives the attacker complete control over the WordPress installation.", "risk_and_exploitability": "The vulnerability scores a CVSS of 9.8, indicating a critical threat. EPSS is reported as less than 1%, so widespread exploitation has not yet been observed, and it does not appear in the CISA KEV list. Based on the description, it is inferred that the registration endpoint is publicly accessible and accepts the user_type parameter from unauthenticated requests, allowing an attacker to send a crafted POST request. Attackers need only to include a 'user_type' of administrator; no prior compromise or authentication is required."}}}}, "created": "2025-11-04T16:34:51.037048+00:00", "updated": "2026-04-22T00:45:04.159888+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}