Overview
A critical privilege escalation vulnerability has been identified in the Doctreat Core plugin for WordPress. Tracked as CVE-2025-6254, this flaw carries a CVSS score of 9.8 (Critical) and affects all versions up to and including 1.6.8.
The vulnerability enables unauthenticated remote attackers to register accounts with arbitrary elevated roles — including administrator — on affected WordPress installations, effectively granting full site control without requiring any prior authentication or credentials.
Technical Details
The flaw resides in the doctreat_process_registration() function, which fails to adequately validate or restrict the role parameter during user registration. An attacker can supply an arbitrary role value in the registration request payload, causing WordPress to create an account with that privileged role.
| Property | Value |
|---|---|
| CVE ID | CVE-2025-6254 |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Authentication | None Required |
| Affected Versions | Doctreat Core ≤ 1.6.8 |
| CWE | CWE-269: Improper Privilege Management |
Attack Scenario
- An unauthenticated attacker discovers a WordPress site running a vulnerable version of Doctreat Core.
- The attacker submits a crafted registration request with a manipulated
rolefield set toadministrator. - WordPress processes the registration without validating the role, creating an admin-level account.
- The attacker logs in with full administrative privileges, enabling complete site takeover, data exfiltration, or malware installation.
Affected Software
Doctreat is a medical/healthcare directory and listing WordPress theme and plugin framework commonly used to build doctor directory sites, clinic listings, and healthcare platforms. Sites using Doctreat Core for user management are directly at risk.
Remediation
Update the Doctreat Core plugin immediately to a version beyond 1.6.8 once a patched release is available. If no patch is yet available:
- Disable user registration temporarily via WordPress settings (
Settings → General → uncheck "Anyone can register") until the plugin is updated. - Audit existing user accounts for any unexpectedly privileged accounts that may have been created through exploitation.
- Implement a Web Application Firewall (WAF) to block suspicious registration requests with abnormal role parameters.
CISA KEV Status
As of the publication date, CVE-2025-6254 has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. However, given the critical CVSS score and ease of exploitation (no authentication required, network-accessible), active exploitation is likely as threat actors routinely target high-severity WordPress plugin flaws.