A high-severity vulnerability exists in the Creator LMS plugin for WordPress, identified as CVE-2025-15347. This flaw allows a low-privileged attacker to modify data and escalate their privileges, potentially gaining full administrative control over an affected website. Successful exploitation could lead to a complete site compromise, data theft, and operational disruption.

The vulnerability is a missing capability check within the get_items_permissions_check function of the plugin. This function fails to properly verify if a user has the required permissions before allowing them to perform data modification actions. An authenticated attacker with low-level privileges (such as a subscriber) can craft a specific request to this function to bypass authorization controls, allowing them to alter data they should not have access to, ultimately leading to an escalation of their privileges to an administrator level.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker administrative control over the WordPress site, resulting in a complete compromise of the web application. Potential consequences include website defacement, theft of sensitive customer or business data, installation of malware or backdoors for persistent access, and disruption of business services. This could lead to significant reputational damage, regulatory fines, and financial loss.

Immediate Action: Immediately update the "Creator LMS – The LMS for Creators, Coaches, and Trainers" plugin to the latest patched version provided by the vendor. If the plugin is not critical to business operations, consider deactivating and removing it entirely to eliminate the attack surface.

Proactive Monitoring: Monitor WordPress audit logs for any unauthorized or suspicious user promotions, new administrator account creations, or unexpected changes to posts and pages. Review web server access logs for unusual requests made to the Creator LMS plugin's endpoints. Implement a file integrity monitoring system to detect unauthorized changes to core WordPress or plugin files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with virtual patching rules designed to block malicious requests targeting this specific vulnerability. Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only. Enforce the principle of least privilege for all user accounts, ensuring they only have the permissions necessary for their roles.

Public Exploit Available: false

Given the high-severity CVSS score of 8.8, this vulnerability poses a significant risk to any organization using the affected plugin. We strongly recommend that administrators prioritize patching this vulnerability immediately across all relevant WordPress instances. Although this vulnerability is not currently listed on the CISA KEV catalog, its potential for a full system compromise warrants urgent attention. Organizations should apply the update and subsequently verify that the patch has been successfully installed and monitor for any signs of post-exploitation activity.