CVE-2025-14156 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-14156?

CVE-2025-14156 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to create new user accounts with administrator privileges in WordPress sites using the Fox LMS plugin. Attackers can completely compromise affected websites by gaining full administrative control. All WordPress installations with Fox LMS plugin versions up to 1.0.5.1 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to create new user accounts with administrator privileges in WordPress sites using the Fox LMS plugin. Attackers can completely compromise affected websites by gaining full administrative control. All WordPress installations with Fox LMS plugin versions up to 1.0.5.1 are affected.

💻 Affected Systems

Products:

Fox LMS – WordPress LMS Plugin

Versions: All versions up to and including 1.0.5.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Fox LMS plugin installed and activated. The vulnerable endpoint is part of the plugin's REST API.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover with administrative access, data theft, malware injection, defacement, and use as attack platform.

🟠

Likely Case

Administrator account creation leading to site compromise, data exfiltration, and backdoor installation.

🟢

If Mitigated

Limited impact if proper network segmentation, WAF rules, and monitoring are in place to detect suspicious user creation.

🌐 Internet-Facing: HIGH - The vulnerable REST API endpoint is accessible without authentication from the internet.

🏢 Internal Only: LOW - The vulnerability requires access to the WordPress REST API, which is typically internet-facing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit via HTTP POST requests to the vulnerable endpoint with crafted parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.5.2

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?old_path=%2Ffox-lms%2Ftags%2F1.0.5.0%2Fincludes%2Frest%2FPayments.php&new_path=%2Ffox-lms%2Ftags%2F1.0.5.2%2Fincludes%2Frest%2FPayments.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Fox LMS plugin. 4. Click 'Update Now' if update available. 5. If no update shows, manually download version 1.0.5.2 from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Block Vulnerable REST Endpoint

linux

Add .htaccess rule to block access to the vulnerable endpoint

# Add to .htaccess in WordPress root directory
RewriteEngine On
RewriteRule ^wp-json/fox-lms/v1/payments/create-order - [F,L]

Disable Plugin

all

Temporarily disable Fox LMS plugin until patched

wp plugin deactivate fox-lms

🧯 If You Can't Patch

Disable the Fox LMS plugin immediately
Implement WAF rules to block requests to /wp-json/fox-lms/v1/payments/create-order

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Fox LMS version. If version is 1.0.5.1 or lower, you are vulnerable.

Check Version:

wp plugin list --name=fox-lms --field=version

Verify Fix Applied:

After updating, verify Fox LMS plugin shows version 1.0.5.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-json/fox-lms/v1/payments/create-order with role parameter
Unexpected user creation events, especially with administrator role
Multiple failed login attempts followed by successful admin login from new IP

Network Indicators:

HTTP POST requests to vulnerable endpoint from unusual IPs
Traffic patterns showing user creation via REST API

SIEM Query:

source="web_logs" AND (url="/wp-json/fox-lms/v1/payments/create-order" OR (event="user_created" AND role="administrator" AND source="rest_api"))

📊 Metadata

CVE ID: CVE-2025-14156

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 0.19% exploit probability (41.1th percentile)

Published: December 15, 2025

Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14156, you might also want to check these: