CVE-2025-15347
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to modify arbitrary WordPress options due to missing capability checks in the Creator LMS plugin. Attackers can escalate privileges, modify site settings, or take full control of affected WordPress sites. All WordPress sites using Creator LMS version 1.1.12 or earlier are affected.
💻 Affected Systems
- Creator LMS – The LMS for Creators, Coaches, and Trainers WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative privileges, modify critical WordPress options, inject malicious code, or deface the entire website.
Likely Case
Privilege escalation allowing attackers to gain administrative access, modify plugin settings, or disrupt site functionality.
If Mitigated
Limited impact if proper access controls, network segmentation, and monitoring are in place to detect unauthorized option modifications.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is in a REST API endpoint that lacks proper authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.13
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Creator LMS plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 1.1.13 from WordPress.org and manually replace the plugin files.
🔧 Temporary Workarounds
Disable Creator LMS Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate creatorlms
Restrict Contributor Access
linuxTemporarily remove contributor-level access from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict access controls and limit contributor-level accounts to trusted users only
- Deploy web application firewall rules to block suspicious REST API requests to the Creator LMS endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Creator LMS → Version number. If version is 1.1.12 or lower, the site is vulnerable.Check Version:
wp plugin get creatorlms --field=versionVerify Fix Applied:
Verify Creator LMS plugin version is 1.1.13 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API POST/PUT requests to /wp-json/creatorlms/v1/settings endpoint from contributor-level users
- Sudden changes to WordPress options table from non-admin users
- Multiple failed authorization attempts followed by successful settings modifications
Network Indicators:
- HTTP POST requests to /wp-json/creatorlms/v1/settings with option modification parameters
- Unusual traffic patterns from internal user accounts to WordPress REST API
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/creatorlms/v1/settings" OR message="option_update") AND user_role="contributor"