Security Alert Summary
The Doctreat Core plugin for WordPress contains a privilege escalation vulnerability that allows unauthenticated attackers to register accounts with elevated roles. The issue stems from insufficient role validation during the registration process, which can enable attackers to register as an administrator user.
CVE Details
- CVE ID: CVE-2025-6254
- Affected component: Doctreat Core plugin for WordPress
- Affected versions: All versions up to, and including, 1.6.8
- Published: June 10, 2026 at 10:16:29 AM
- Last modified: June 10, 2026 at 10:16:29 AM
- CVSS v3.1: Base score 9.8, severity CRITICAL, vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / privileges / user interaction: Authentication not required; Privileges required: None; User interaction: None
- Primary impact (CIA): Confidentiality: High; Integrity: High; Availability: High
- CWE / weakness: CWE-269 (Improper Privilege Management)
Technical Details
The vulnerability is caused by the doctreat_process_registration() function not properly restricting the roles that may be assigned during user registration. Because role validation is insufficient, an unauthenticated actor can submit registration data that results in an account being created with administrative privileges.
The core issue is a missing or inadequate check on the requested role during the registration flow. The CVE description indicates the registration handler accepts or applies elevated roles without enforcing allowed-role constraints for new accounts.
Impact is limited to account creation and the privileges granted to newly created accounts; in this case the flaw allows creation of accounts with administrative capabilities, which can lead to high confidentiality, integrity, and availability impact if exploited.
How This Could Impact Your Website
On a multi-user WordPress site, this vulnerability could be abused by an external attacker to register an account with administrator privileges. For example, an attacker could register as a new user and receive an administrative role, then modify site content, change plugins or themes, access private user data, or create additional accounts.
For a site with a site owner, internal staff, and external contractors or contributors, the practical consequences include exposure of internal user email addresses and other sensitive data and an increased risk of targeted phishing or social engineering against staff and contractors. Compromised administrative accounts can be used to perform actions that affect many users.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and author level roles that could escalate if misconfigured.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes.
- Monitor site activity and audit logs for unusual account creation, role changes, or administrative actions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
