A critical privilege escalation flaw in the Lizza LMS Pro WordPress plugin allows unauthenticated attackers to gain full administrator access during the registration process.

The lizza_lms_pro_register_user_front_end function does not restrict the roles available during registration. An unauthenticated attacker can supply the 'administrator' role in the registration request to gain full control of the WordPress site.

A successful exploit results in the complete compromise of the Learning Management System, including access to student data, course materials, and financial records. The CVSS score of 9.8 reflects the severity of allowing unauthenticated users to escalate to the highest privilege level.

Immediate Action: Update the Lizza LMS Pro plugin to the latest version immediately to fix the registration role validation logic.

Proactive Monitoring: Inspect the WordPress audit logs for any registrations that resulted in the creation of an administrative account.

Compensating Controls: Implement a manual approval process for new user registrations or restrict registration to specific, low-privilege roles at the system level.

Public Exploit Available: No

Immediate remediation is required to prevent unauthorized administrative access. Update the plugin to the latest version and verify that the registration process no longer accepts arbitrary role assignments from the client side.