CVE-2025-15347HIGH 8.8EPSS p18.7%

CVE-2025-15347CVE-2025-15347

Description

The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.27% probability of exploitation · percentile 18.7% · 2026-06-18T12:00:27Z
Published2026-01-20
Last modified2026-04-15

Underlying weaknesses· 1

CWE-862

References

  1. https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-11923
CVE
CVE-2025-15521
CVE
CVE-2026-32530
CVE
CVE-2025-13618
CVE
CVE-2025-3101
CVE
CVE-2025-13542
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.