Doctreat Core <= 1.6.8 - Unauthenticated Privilege Escalation

CVE	CVE-2025-6254
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-10 10:16:29 UTC
Updated	2026-06-10 10:16:29 UTC
Description	The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user.

Primary CVSS: v3.1 9.8 CRITICAL from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types: CWE-269 | CWE-269 CWE-269 Improper Privilege Management

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	9.8	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	9.8	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	AmentoTech	Doctreat Core	affected 1.6.8 semver	Not specified

Reference	Source	Link	Tags
themeforest.net/item/doctreat-doctors-directory-wordpress-theme/24867777	[email protected]	themeforest.net
www.wordfence.com/threat-intel/vulnerabilities/id/5fa37909-932c-4879-bbf0-8b44c...	[email protected]	www.wordfence.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Friderika Baranyai (en)

Source	Time	Event
CNA	2025-10-29T20:49:45.000Z	Vendor Notified
CNA	2026-06-09T20:15:24.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.