CVE-2025-10742

Name of the Vulnerable Software and Affected Versions Truelysell Core plugin for WordPress versions up to and including 1.8.6

Description The Truelysell Core plugin for WordPress is susceptible to unauthorized user password modification. This occurs because the plugin allows user-controlled access to objects, enabling attackers to bypass authorization and access system resources. Unauthenticated attackers can exploit this to change user passwords, potentially gaining control of administrator accounts. The exploitation requires knowledge of a page containing the 'truelysell edit staff' shortcode.

Recommendations Versions prior to 1.8.6 are affected. Update to a version newer than 1.8.6. Limit access to the page containing the 'truelysell edit staff' shortcode. Enable multi-factor authentication. Monitor system activity for suspicious behavior.