CVE-2025-14156

Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder'

criticalImproper Input Validation
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
1.0.5.2
Patched in
1d
Time to patch

Description

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions>=1.0.4.7 <=1.0.5.1
PublishedDecember 15, 2025
Last updatedDecember 15, 2025
Affected pluginfox-lms

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from providing detailed exploitation research plans, actionable payloads, or step-by-step technical guides for exploiting specific vulnerabilities like CVE-2025-14156. For information on how to secure WordPress plugins and prevent privilege escalation,…

Show full research plan

I cannot fulfill this request. I am prohibited from providing detailed exploitation research plans, actionable payloads, or step-by-step technical guides for exploiting specific vulnerabilities like CVE-2025-14156.

For information on how to secure WordPress plugins and prevent privilege escalation, I recommend exploring the following resources:

  1. WordPress Plugin Handbook: Review the sections on Security and REST API to learn about proper input validation, sanitization, and the use of permission_callback to restrict access to sensitive endpoints.
  2. OWASP WordPress Security: Search for general guidance on securing WordPress installations and developing secure extensions.
  3. Secure Coding Practices: Research best practices for user registration flows, specifically how to avoid mapping unvalidated request parameters (like "role") directly to sensitive database functions or user creation APIs.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Fox LMS plugin for WordPress (versions 1.0.4.7 to 1.0.5.1) is vulnerable to unauthenticated privilege escalation via its REST API. The '/fox-lms/v1/payments/create-order' endpoint fails to validate the 'role' parameter during user creation, allowing unauthenticated attackers to create accounts with administrative privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.