CVE-2025-14156CRITICAL 9.8EPSS p35.3%

CVE-2025-14156CVE-2025-14156

Description

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 35.3% · 2026-06-18T12:00:27Z
Published2025-12-15
Last modified2026-04-15

Underlying weaknesses· 1

CWE-20

References

  1. https://plugins.trac.wordpress.org/changeset?old_path=%2Ffox-lms%2Ftags%2F1.0.5.0%2Fincludes%2Frest%2FPayments.php&new_path=%2Ffox-lms%2Ftags%2F1.0.5.2%2Fincludes%2Frest%2FPayments.php
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/de4f8d45-9522-4a32-bc98-be8dbf3a5cf1?source=cve

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-11086
CVE
CVE-2025-13618
CVE
CVE-2025-13563
CVE
CVE-2025-13542
CVE
CVE-2025-13619
CVE
CVE-2025-15521
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.