CVE-2025-10742 is a critical security vulnerability identified in the Truelysell Core plugin for WordPress, affecting all versions up to and including 1.8.6. The root cause is an authorization bypass (CWE-639) where the plugin improperly allows user-controlled access to internal objects. Specifically, the vulnerability enables an unauthenticated attacker who knows the location of the 'truelysell_edit_staff' shortcode page to arbitrarily change user passwords, including those of administrators. This is possible because the plugin fails to enforce proper authorization checks before processing password change requests, effectively allowing attackers to escalate privileges and take over accounts without any authentication or user interaction. The CVSS 3.1 base score is 9.8, reflecting the vulnerability's ease of exploitation (network vector, no privileges required, no user interaction) and its severe impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the high severity and straightforward exploitation method make this a critical threat. The vulnerability affects WordPress sites using the Truelysell Core plugin, which is commonly used for e-commerce and digital service management. The lack of available patches at the time of disclosure necessitates immediate defensive actions to mitigate risk.

For European organizations, this vulnerability presents a significant risk of unauthorized account takeover, particularly of administrator accounts, which can lead to full site compromise. Attackers exploiting this flaw can change passwords arbitrarily, potentially locking out legitimate users and gaining persistent control over the WordPress environment. This can result in data breaches, defacement, insertion of malicious content, or use of the site as a launchpad for further attacks within the network. Organizations relying on WordPress for e-commerce, customer management, or internal portals are at heightened risk of operational disruption and reputational damage. Given the criticality and ease of exploitation, the impact on confidentiality, integrity, and availability is severe. The threat is amplified in sectors with stringent data protection regulations like GDPR, where breaches can lead to substantial fines and legal consequences.

Until an official patch is released, European organizations should take immediate steps to mitigate risk. These include restricting access to pages containing the 'truelysell_edit_staff' shortcode via web application firewalls (WAFs) or IP whitelisting to prevent unauthorized access. Implement monitoring and alerting for unusual password change activities, especially for administrator accounts. Employ multi-factor authentication (MFA) on all WordPress accounts to reduce the impact of compromised credentials. Regularly audit user accounts and permissions to detect unauthorized changes. Consider temporarily disabling or removing the Truelysell Core plugin if feasible. Maintain up-to-date backups to enable recovery in case of compromise. Once a patch is available, prioritize prompt application and verify the fix through testing. Additionally, educate site administrators about this vulnerability and encourage vigilance against suspicious activity.