CVE-2025-10742 affects the Truelysell Core plugin for WordPress, versions up to and including 1.8.6. The vulnerability arises from improper authorization checks related to user-controlled keys that grant access to sensitive objects within the plugin. Specifically, the plugin exposes a shortcode 'truelysell_edit_staff' that, if located by an attacker, can be leveraged to bypass authorization mechanisms. This bypass allows an unauthenticated attacker to arbitrarily change user passwords, including those of administrators, leading to full account takeover. The root cause is classified under CWE-639, which involves authorization bypass through user-controlled keys or parameters. The vulnerability does not require any privileges or user interaction, making it highly exploitable remotely over the network. The CVSS 3.1 score of 9.8 reflects its critical nature, with impacts on confidentiality (full account compromise), integrity (password changes), and availability (potential account lockout or denial of service). Although no public exploits have been reported yet, the straightforward exploitation path and the widespread use of WordPress and its plugins elevate the risk significantly. The vulnerability was publicly disclosed on October 16, 2025, and no official patches have been linked yet, increasing the urgency for mitigation.

The impact of CVE-2025-10742 is severe for organizations using the Truelysell Core plugin on their WordPress sites. Successful exploitation allows attackers to change any user's password without authentication, including administrator accounts, leading to full system compromise. This can result in unauthorized access to sensitive data, defacement, insertion of malicious code or backdoors, and disruption of services. Organizations may suffer data breaches, loss of customer trust, regulatory penalties, and operational downtime. Since WordPress powers a significant portion of websites globally, and plugins like Truelysell Core are used in various industries for e-commerce and staff management, the scope of impact is broad. The vulnerability's ease of exploitation and lack of required authentication make it attractive for attackers, including opportunistic cybercriminals and targeted threat actors. Additionally, compromised administrator accounts can be leveraged for lateral movement within networks, further escalating the damage.

1. Immediately identify and isolate WordPress instances running the Truelysell Core plugin, especially versions up to 1.8.6. 2. Monitor for any suspicious activity related to password changes or access to pages containing the 'truelysell_edit_staff' shortcode. 3. If an official patch or update is released by dreamstechnologies, apply it promptly. 4. In the absence of a patch, restrict access to pages containing the vulnerable shortcode using web application firewalls (WAFs) or server-level access controls to block unauthenticated requests. 5. Implement strict monitoring and alerting for unauthorized password changes and login attempts. 6. Enforce multi-factor authentication (MFA) for all administrator accounts to reduce the risk of account takeover. 7. Conduct regular backups and have incident response plans ready to restore compromised accounts or systems. 8. Consider temporarily disabling or removing the Truelysell Core plugin if it is not critical to operations until a fix is available. 9. Educate site administrators about this vulnerability and encourage vigilance against phishing or social engineering that could compound the risk.