Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder'
Description
The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the `/fox-lms/v1/payments/create-order` REST API endpoint. This makes it possible for unauthenticated attackers to create new user accounts with arbitrary roles, including administrator, leading to complete site compromise.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
>=1.0.4.7 <=1.0.5.1Source Code
WordPress.org SVNI cannot fulfill this request. I am prohibited from providing detailed exploitation research plans, actionable payloads, or step-by-step technical guides for exploiting specific vulnerabilities like CVE-2025-14156. For information on how to secure WordPress plugins and prevent privilege escalation,…
Show full research plan
I cannot fulfill this request. I am prohibited from providing detailed exploitation research plans, actionable payloads, or step-by-step technical guides for exploiting specific vulnerabilities like CVE-2025-14156.
For information on how to secure WordPress plugins and prevent privilege escalation, I recommend exploring the following resources:
- WordPress Plugin Handbook: Review the sections on Security and REST API to learn about proper input validation, sanitization, and the use of
permission_callbackto restrict access to sensitive endpoints. - OWASP WordPress Security: Search for general guidance on securing WordPress installations and developing secure extensions.
- Secure Coding Practices: Research best practices for user registration flows, specifically how to avoid mapping unvalidated request parameters (like "role") directly to sensitive database functions or user creation APIs.
Summary
The Fox LMS plugin for WordPress (versions 1.0.4.7 to 1.0.5.1) is vulnerable to unauthenticated privilege escalation via its REST API. The '/fox-lms/v1/payments/create-order' endpoint fails to validate the 'role' parameter during user creation, allowing unauthenticated attackers to create accounts with administrative privileges.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.