A critical privilege escalation vulnerability has been identified in The Fox LMS WordPress plugin. This flaw allows unauthenticated attackers to create new user accounts with arbitrary privileges, including administrator rights, by exploiting an improperly secured API endpoint. Successful exploitation results in a complete compromise of the affected WordPress site, granting the attacker full control over the website's content, user data, and underlying server functions.

The vulnerability exists within the /fox-lms/v1/payments/create-order REST API endpoint, which is accessible to unauthenticated users. The function responsible for creating a new user account as part of an order process fails to properly sanitize or validate the role parameter supplied in the request. An attacker can send a specially crafted POST request to this endpoint and include role=administrator in the request body, causing the plugin to create a new user with full administrative privileges on the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the maximum potential impact. A successful attack would grant an unauthorized individual complete control over the organization's website. The potential consequences include theft of sensitive customer or business data, website defacement, distribution of malware to visitors, loss of customer trust, and significant reputational damage. An attacker with administrative access could also pivot to attack other systems within the network, escalating the incident's scope and impact.

Immediate Action: Immediately update The Fox LMS plugin to the latest patched version on all WordPress instances. After patching, conduct a thorough review of all user accounts, particularly those with administrative privileges, to identify and remove any accounts created illegitimately by an attacker.

Proactive Monitoring: System administrators should actively monitor web server access logs for suspicious POST requests to the /fox-lms/v1/payments/create-order endpoint. Implement alerts for the creation of new user accounts, especially those assigned high-privilege roles like 'administrator'. Monitor for unexpected plugin installations, theme changes, or modifications to core WordPress files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or restrict access to the vulnerable /fox-lms/v1/payments/create-order API endpoint. Alternatively, if the functionality is not critical, consider temporarily disabling the plugin until it can be safely updated.

Public Exploit Available: false

Due to the critical CVSS score of 9.8 and the potential for complete system compromise by an unauthenticated attacker, this vulnerability requires immediate attention. We strongly recommend that all organizations using the affected versions of The Fox LMS plugin apply the vendor-supplied patch without delay. Furthermore, organizations should assume potential compromise and perform a security audit to check for unauthorized user accounts and other indicators of compromise outlined in the proactive monitoring section.