What is the CVSS score of CVE-2025-6254?

CVE-2025-6254 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Doctreat Core are affected by CVE-2025-6254?

The Doctreat Core WordPress plugin (versions ≤1.6.8) contains a critical flaw enabling unauthenticated attackers to register as administrators and gain full control of affected websites without…

How to fix or mitigate CVE-2025-6254?

24 HOURS: Audit all WordPress installations for Doctreat Core plugin presence and version; immediately disable the plugin as interim mitigation and document all administrator accounts for integrity review. 7 DAYS: If the plugin is business-critical, implement strict network-level access controls and Web Application Firewall rules blocking the vulnerable doctreat_process_registration() function until patched; coordinate with vendor on timeline for patch availability. 30 DAYS: Complete upgrade to patched version when available; conduct security audit of all accounts created during vulnerability window; implement WordPress security hardening and account enumeration logging.

Doctreat Core CVE-2025-6254

EUVD-2025-210104 CRITICAL

Improper Privilege Management (CWE-269)

2026-06-10 Wordfence

GHSA-cx49-m9xj-cc6r

Privilege Escalation WordPress

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 10:15 vuln.today

CVE Published

Jun 10, 2026 - 08:28 nvd

CRITICAL 9.8

DescriptionCVE.org

The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user.

Articles & Coverage 2

News 5 New WordPress Vulnerabilities - 2 Critical, 3 With POC Jun 11, 2026 News Critical Privilege Escalation in WordPress Doctreat Core Plugin ≤1.6.8 - CVE-2025-6254 Jun 10, 2026

AnalysisAI

Unauthenticated privilege escalation in the Doctreat Core WordPress plugin (versions ≤ 1.6.8) allows remote attackers to register accounts directly as administrators by abusing insufficient role validation in the doctreat_process_registration() function. With a CVSS of 9.8 and trivial exploitability (AV:N/AC:L/PR:N/UI:N), full site takeover is possible without credentials, though no public exploit has been identified at time of analysis and the CVE is not currently listed in CISA KEV.

Technical ContextAI

The Doctreat Core plugin underpins the commercial Doctreat doctors-directory WordPress theme sold on ThemeForest (item 24867777) by Amentotech. WordPress exposes a register_user / wp_insert_user role parameter that must be server-side enforced because client-supplied role values are untrusted. CWE-269 (Improper Privilege Management) applies here: the doctreat_process_registration() handler accepts the desired role from the registration request without restricting it to the intended low-privilege values (e.g., subscriber, doctor, patient), allowing 'administrator' to be passed through to user creation. The affected CPE is cpe:2.3:a:amentotech:doctreat_core:*:*:*:*:*:*:*:* covering all versions through 1.6.8.

RemediationAI

No vendor-released patched version is identified in the available data - references point only to the Wordfence threat-intel entry and the ThemeForest product page, with no fixed version cited. Site operators should immediately check ThemeForest for an updated Doctreat theme/plugin release above 1.6.8 and apply it as soon as published, and in the meantime disable user self-registration by unchecking 'Anyone can register' in Settings > General (side effect: legitimate doctor/patient self-onboarding will break and must be handled manually or via a vetted alternative form), deactivate the Doctreat Core plugin if registration is not business-critical (side effect: theme features that depend on it will stop working), or place a WAF/virtual-patching rule (e.g., Wordfence) in front of the registration endpoint to block requests containing a role parameter set to administrator. After remediation, audit wp_users for unexpected administrator accounts created since plugin installation and force a password reset on all admins.