WP-Safety
CVE-2026-32530

Creator LMS – Online Courses and eLearning Plugin <= 1.1.18 - Authenticated (Contributor+) Privilege Escalation

highIncorrect Privilege Assignment
8.8
CVSS Score
8.8
CVSS Score
high
Severity
1.1.19
Patched in
8d
Time to patch

Description

The Creator LMS – Online Courses and eLearning Plugin plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.18. This makes it possible for authenticated attackers, with Contributor-level access and above, to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.1.18
PublishedMarch 20, 2026
Last updatedMarch 27, 2026
Affected plugincreatorlms

What Changed in the Fix

Changes introduced in v1.1.19

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.1.18
Browse source Download .zip
Patched v1.1.19
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-32530 - Creator LMS Privilege Escalation ## 1. Vulnerability Summary The **Creator LMS** plugin (versions <= 1.1.18) contains an authenticated privilege escalation vulnerability. The flaw exists in the plugin's REST API implementation, specifically within the …

Show full research plan

Exploitation Research Plan: CVE-2026-32530 - Creator LMS Privilege Escalation

1. Vulnerability Summary

The Creator LMS plugin (versions <= 1.1.18) contains an authenticated privilege escalation vulnerability. The flaw exists in the plugin's REST API implementation, specifically within the administrative controllers. The plugin defines a custom capability manage_creator_lms and assigns it to roles such as "Instructor," which are technically Contributor-level accounts.

The administrative REST API endpoints (under the /wp-json/creator-lms/v1/admin/ namespace) use this capability for authorization. However, these endpoints allow for the modification of sensitive WordPress options and user roles without further restricting access to only actual Administrators. An attacker with Contributor-level access (possessing the manage_creator_lms capability) can modify the global WordPress default_role setting or update their own user role to administrator.

2. Attack Vector Analysis

  • Endpoint: /wp-json/creator-lms/v1/admin/settings (REST API)
  • Method: POST
  • Authentication: Authenticated (Contributor+ with manage_creator_lms capability).
  • Payload Parameter: JSON body containing settings keys and values.
  • Preconditions: The user must have an account with the manage_creator_lms capability. In many LMS configurations, the "Instructor" role (a Contributor equivalent) is granted this
Research Findings
Static analysis — not yet PoC-verified

Summary

The Creator LMS plugin incorrectly assigns the administrative capability 'manage_creator_lms' to Contributor-level roles such as 'Instructor'. This allows these users to access administrative REST API endpoints and AJAX actions, which can be used to modify sensitive site settings or escalate their own user privileges to Administrator.

Vulnerable Code

// includes/Ajax.php:101-104
public static function search_pages(): void {
    ob_start();

    check_ajax_referer( 'search-pages', 'security' );

    if ( ! current_user_can( 'manage_creator_lms' ) ) { // @codingStandardsIgnoreLine
        wp_die( -1 );
    }

--- 

// Implied vulnerability in REST API controllers (e.g., in a class like includes/Rest/Admin/SettingsController.php)
// The permission callback incorrectly relies on the 'manage_creator_lms' capability.
public function update_settings_permission_check( $request ) {
    return current_user_can( 'manage_creator_lms' );
}

Security Fix

--- a/includes/Rest/Admin/SettingsController.php
+++ b/includes/Rest/Admin/SettingsController.php
@@ -10,7 +10,7 @@
 	public function register_routes() {
 		register_rest_route( CREATOR_LMS_API_URL, '/admin/settings', array(
 			'methods'             => \WP_REST_Server::EDITABLE,
-			'permission_callback' => array( $this, 'get_item_permissions_check' ),
+			'permission_callback' => function() { return current_user_can( 'manage_options' ); },
 			'callback'            => array( $this, 'update_settings' ),
 		) );
 	}

Exploit Outline

1. Gain authenticated access to a WordPress site with a role assigned the 'manage_creator_lms' capability (standard for 'Instructor' roles in this plugin). 2. Obtain a valid REST API nonce (found in the `wp-admin` dashboard source or provided via localized script data). 3. Craft a POST request to the `/wp-json/creator-lms/v1/admin/settings` endpoint. 4. Include a JSON payload designed to modify site settings, specifically targeting the `default_role` option to change it to `administrator`, or attempting to update the current user's role metadata if handled by the settings controller. 5. Alternatively, use the access to modify plugin-specific settings that might allow for further exploitation, such as changing registration settings or enabling insecure features.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a37e2106-1590-4a40-ae68-172d3817b063?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database