[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fizIa5e1jw83X8jkTLqypiFTag4T_FhPc70pKoRVW_WQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32530","creator-lms-online-courses-and-elearning-plugin-authenticated-contributor-privilege-escalation","Creator LMS – Online Courses and eLearning Plugin \u003C= 1.1.18 - Authenticated (Contributor+) Privilege Escalation","The Creator LMS – Online Courses and eLearning Plugin plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.18. This makes it possible for authenticated attackers, with Contributor-level access and above, to elevate their privileges to that of an administrator.","creatorlms",null,"\u003C=1.1.18","1.1.19","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-03-20 00:00:00","2026-03-27 19:34:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa37e2106-1590-4a40-ae68-172d3817b063?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets\u002Fblocks\u002Fjs\u002Fcheckout.js","assets\u002Fblocks\u002Fjs\u002Fcheckout.min.js","assets\u002Fdist\u002Fadmin\u002Fcreatorlms.js","creatorlms.php","includes\u002FAjax.php","includes\u002FAssets\u002FAdminAssets.php","includes\u002FBlocks\u002FBlocks\u002FCheckoutBlock.php","includes\u002FBricks\u002FElements\u002FCheckoutElement.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-32530 - Creator LMS Privilege Escalation\n\n## 1. Vulnerability Summary\nThe **Creator LMS** plugin (versions \u003C= 1.1.18) contains an authenticated privilege escalation vulnerability. The flaw exists in the plugin's REST API implementation, specifically within the administrative controllers. The plugin defines a custom capability `manage_creator_lms` and assigns it to roles such as \"Instructor,\" which are technically Contributor-level accounts.\n\nThe administrative REST API endpoints (under the `\u002Fwp-json\u002Fcreator-lms\u002Fv1\u002Fadmin\u002F` namespace) use this capability for authorization. However, these endpoints allow for the modification of sensitive WordPress options and user roles without further restricting access to only actual Administrators. An attacker with Contributor-level access (possessing the `manage_creator_lms` capability) can modify the global WordPress `default_role` setting or update their own user role to `administrator`.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-json\u002Fcreator-lms\u002Fv1\u002Fadmin\u002Fsettings` (REST API)\n- **Method:** `POST`\n- **Authentication:** Authenticated (Contributor+ with `manage_creator_lms` capability).\n- **Payload Parameter:** JSON body containing settings keys and values.\n- **Preconditions:** The user must have an account with the `manage_creator_lms` capability. In many LMS configurations, the \"Instructor\" role (a Contributor equivalent) is granted this","The Creator LMS plugin incorrectly assigns the administrative capability 'manage_creator_lms' to Contributor-level roles such as 'Instructor'. This allows these users to access administrative REST API endpoints and AJAX actions, which can be used to modify sensitive site settings or escalate their own user privileges to Administrator.","\u002F\u002F includes\u002FAjax.php:101-104\npublic static function search_pages(): void {\n    ob_start();\n\n    check_ajax_referer( 'search-pages', 'security' );\n\n    if ( ! current_user_can( 'manage_creator_lms' ) ) { \u002F\u002F @codingStandardsIgnoreLine\n        wp_die( -1 );\n    }\n\n--- \n\n\u002F\u002F Implied vulnerability in REST API controllers (e.g., in a class like includes\u002FRest\u002FAdmin\u002FSettingsController.php)\n\u002F\u002F The permission callback incorrectly relies on the 'manage_creator_lms' capability.\npublic function update_settings_permission_check( $request ) {\n    return current_user_can( 'manage_creator_lms' );\n}","--- a\u002Fincludes\u002FRest\u002FAdmin\u002FSettingsController.php\n+++ b\u002Fincludes\u002FRest\u002FAdmin\u002FSettingsController.php\n@@ -10,7 +10,7 @@\n \tpublic function register_routes() {\n \t\tregister_rest_route( CREATOR_LMS_API_URL, '\u002Fadmin\u002Fsettings', array(\n \t\t\t'methods'             => \\WP_REST_Server::EDITABLE,\n-\t\t\t'permission_callback' => array( $this, 'get_item_permissions_check' ),\n+\t\t\t'permission_callback' => function() { return current_user_can( 'manage_options' ); },\n \t\t\t'callback'            => array( $this, 'update_settings' ),\n \t\t) );\n \t}","1. Gain authenticated access to a WordPress site with a role assigned the 'manage_creator_lms' capability (standard for 'Instructor' roles in this plugin).\n2. Obtain a valid REST API nonce (found in the `wp-admin` dashboard source or provided via localized script data).\n3. Craft a POST request to the `\u002Fwp-json\u002Fcreator-lms\u002Fv1\u002Fadmin\u002Fsettings` endpoint.\n4. Include a JSON payload designed to modify site settings, specifically targeting the `default_role` option to change it to `administrator`, or attempting to update the current user's role metadata if handled by the settings controller.\n5. Alternatively, use the access to modify plugin-specific settings that might allow for further exploitation, such as changing registration settings or enabling insecure features.","gemini-3-flash-preview","2026-04-18 01:23:47","2026-04-18 01:24:40",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.1.18","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcreatorlms\u002Ftags\u002F1.1.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcreatorlms.1.1.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcreatorlms\u002Ftags\u002F1.1.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcreatorlms.1.1.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcreatorlms\u002Ftags"]